SIL 3 Safety Function: High Pressure Monitoring with Low ......SIL 3 Safety Function: High Pressure...

Application Technique

SIL 3 Safety Function: High Pressure Monitoring with Low DemandProducts: GuardLogix Controller, Cerabar Pressure Transmitter, POINT Guard I/O Analog Input Safety Module, POINT Guard I/O Safety Modules, Samson Globe Valve

Safety Rating: SIL 3 to IEC 61511

Topic Page

Important User Information 2

General Safety Information 3

Introduction 3

Safety Function Realization: Risk Assessment 3

High-pressure Monitoring Safety Function 4

Safety Function Requirements 4

Functional Safety Description 5

Bill of Material 6

Setup and Wiring 7

Configuration 9

Calculation of the SIL Level 19

Verification and Validation Plan 20

Additional Resources 22

SIL 3 Safety Function: High Pressure Monitoring with Low Demand

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

Labels may also be on or inside the equipment to provide specific precautions.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

2 Rockwell Automation Publication SAFETY-AT148A-EN-P - October 2015


General Safety Information

Contact Rockwell Automation to find out more about our safety risk assessment services.

Introduction

This low-demand safety function application technique explains how to wire, configure, and program a GuardLogix® controller and a POINT Guard I/O™ analog input module to monitor a pressure transmitter. If there is high pressure in the process loop, a demand is placed on the safety function. The safety function drops power to a pair of solenoid valves, which vents a pneumatic actuator, placing a pair of globe valves into failsafe position.

This example uses the 1756-L71S GuardLogix controller, but is applicable to any GuardLogix controller.

This example uses two Endress + Hauser Cerabar S PMP71 pressure transmitters, but is applicable to any safety-rated transmitters with a 4…20 mA output.

This example uses redundant final elements consisting of a Samson Type 3241 globe valve, a model 3277 pneumatic actuator, and a model 3963 solenoid valve, but is applicable to any safety-rated final elements that use a 24V DC digital output to place the control valve into its failsafe state.

If different components are used, the Safety Integrity Level (SIL) calculations shown later in this document must be re-calculated using the actual components.

Safety Function Realization: Risk Assessment

The required safety integrity level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety

IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.

ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety distance calculations, which are not part of the scope of this document.

Rockwell Automation Publication SAFETY-AT148A-EN-P - October 2015 3


functions of the machine. In this application, the SIL required by the risk assessment is SIL 3 for this safety function. Each safety product has its own rating and can be combined to create a safety function that meets or exceeds SIL 3.

High-pressure Monitoring Safety Function

This application technique includes one safety function: high-pressure monitoring. If high pressure occurs, power is dropped to the solenoid valve(s). This vents the pneumatic actuator(s), placing the control valve(s) into their failsafe position, which is closed (OFF) in this example.

Safety Function Requirements

This safety function is assumed to be low demand, which means that one demand a year or less is placed on the safety function. For low-demand safety functions, the Probability of Failure on Demand (PFD) values are generated for each subsystem and used to calculate the overall SIL level for the safety function.

High pressure in the process loop places a demand on the safety function.

The useful lifetime of the 3963 solenoid valve used in this safety function is eleven years. Therefore, PFD values for ten-year proof test intervals were used for the logic hardware (GuardLogix controller and POINT Guard I/O modules). The sensor and final element hardware (pressure transmitter, globe valve, pneumatic actuator, and solenoid valve) provide PFD values that require one-year proof test intervals.

Most of the hardware used in this safety function requires a hardware fault tolerance (HFT) equal to 1 to achieve SIL 3. The GuardLogix controller and safety I/O modules have a built-in HFT of 1, when two field signals are used. The sensors and final elements require redundant hardware in a 1oo2 configuration to meet an HFT of 1.

To fully utilize the Dual Channel Analog (DCA) safety instruction in the GuardLogix controller, this example uses a single-channel configuration for the two analog channels wired into the 1734-IE4S module. This configuration requires the use of the 1oo1 PFD for the 1734-IE4S module, but this example safety function remains SIL 3 capable with the 1oo1 PFD.

From: Risk Assessment (IEC 61511-1, clauses 8…10)

1. Identification of safety functions

2. Specification of characteristics of each function

3. Determination of required SIL for each safety function

To: Realization and SIL Evaluation



Faults within all the safety function (complex) subsystems are unknown and must be detected at a rate that enables the overall safety function to meet the requirements for SIL 3, per IEC 61511. The vendor must provide Probability of Dangerous Failure on Demand (PFDavg) values for these subsystems.

The safety function in this application technique meets or exceeds the requirements for SIL 3, per IEC 61511.

Functional Safety Description

The elements of the safety system are described in the following sections.

Sensor

The PMP71 pressure transmitter generates a 4…20 mA output signal that is wired directly into one of the analog-input channels on the 1734-IE4S safety analog input module. The PMP71 transmitter is capable of SIL 3 when two transmitters are used and a comparison is done in the logic. In this example, a Dual Channel Analog (DCA) instruction within the GuardLogix controller provides the comparison.

The 1734-IE4S module is capable of SIL 3 when the channel operation for these two signals is configured for Single and the DCA safety instruction is used in the GuardLogix safety controller to compare the two signals against a deadband within the safety task. As mentioned earlier in this document, this requires the use of the 1oo1 PFD for the 1734-IE4S module.

Logic Device

The 1734-IE4S module sends the signals to the GuardLogix safety controller via CIP Safety™ protocol, which is SIL 3-capable. The GuardLogix controller compares the signals against a high-pressure boundary by using the DCA instruction within its safety task. If the DCA detects a discrepancy between the two channels, or if the pressure rises above the boundary, a demand is placed on the safety function. A fault on either pressure transmitter, or a fault within the 1734-IE4S module, generates a signal or status that causes the high-pressure demand on the safety function.

Final Element

When the signals are below the high-pressure boundary, and the status is OK, the GuardLogix controller sends signals over CIP Safety to the 1734-OB8S safety digital output module to energize two output channels. These output channels, in turn, energize the solenoid valves.

When a demand is placed on the high-pressure safety function, the GuardLogix controller de-energizes the two output channels on the 1734-OB8S module. Each output channel drops power to a solenoid valve, which vents a pneumatic actuator, placing a globe valve into failsafe position. If either of these redundant final elements operates properly, then the process loop goes to its safe state, OFF.



Network

CIP Safety protocol inserts the data into the CIP Safety packet twice. One piece of data is normal and the other is inverted. CIP Safety packets are also timestamped by the producer so that the consumer can determine the age of the packet when it arrives. If a good packet does not arrive before the connection reaction time limit (CRTL) expires, then the result is a demand on the safety function.

CIP Safety protocol supports a direct connection between the POINT Guard I/O safety modules and the GuardLogix controller, making the EtherNet/IP™ hardware between these two end devices a black channel. Therefore, the EtherNet/IP hardware does not have to be included in the SIL calculation. The PFD of the CIP Safety protocol has already been included in the controller PFD value.

The assumption is that the Process Safety Time (PST) is much greater than the worst-case reaction time of the safety function, so no reaction time calculations are required.

Bill of Material

This application uses these products.

Cat. No. Description Quantity

PMP71 Endress+Hauser Cerabar S pressure transmitter 2

1756-L71S GuardLogix processor, 2.0 MB standard memory, 1.0 MB safety memory 1

1756-L7SP GuardLogix safety partner 1

1756-EN2TR ControlLogix® EtherNet/IP bridge 1

1756-A4 4-slot ControlLogix chassis 1

1756-PA72 Power supply, 120/240V AC input, 3.5 A @ 24V DC 1

1783-US05T Stratix 2000™ unmanaged Ethernet switch 1

1734-AENT POINT Guard I/O Ethernet/IP communication adapter 1

1734-IB8S POINT Guard I/O input safety module 24V DC 1

1734-OB8S POINT Guard I/O output safety module 24V DC 1

1734-IE4S POINT Guard I/O analog input safety module 1

1734-TB Module base with removable IEC screw terminals 6

Type 3241 Samson Series 240 globe valve 2

Type 3277 Samson pneumatic actuator 2

Type 3963 Samsomatic solenoid valve 2

800FM-G611MX10 800F reset push button - metal, guarded, blue, R, metal latch mount, 1 N.O. contact, standard 2



Setup and Wiring

For detailed information on installing and wiring, refer to the publications listed in the Additional Resources.

System Overview

The 4…20 mA two-wire pressure transmitters are wired directly into the 1734-IE4S module. The 1734-IE4S module sources the 24V DC for the two-wire transmitters.

The final control elements of the safety function are the combination of solenoid, actuator, and globe valve. Each solenoid valve is wired to a safety output on the 1734-OB8S safety output module.

The GuardLogix controller and the three POINT Guard I/O safety modules are connected on an EtherNet/IP network. CIP Safety protocol requires a direct connection between these modules and the GuardLogix controller. This connection makes the EtherNet/IP hardware between these two end devices a black channel. Any EtherNet/IP hardware within an operational network can be used with no effect on the SIL calculation.

The overall safety function must have individual reset buttons for resetting faults and for resetting safety outputs. These reset buttons can be wired to any input module (safety or standard) in your system. The 1734-IB8S safety input module is used in this example. The safety rating of the reset button must not diminish the rating of the relevant safety function. This is accomplished by the trailing edge or falling edge of the button generating the reset command, thus tolerating faults in the reset circuit. Because only reset buttons are being wired into the 1734-IB8S module, it does not have to be included in the safety function SIL calculation.



Electrical Schematic

A schematic for the electrical subsystems is shown below. The final-element configuration chosen for this safety function is generic (no application specified) and is one of very many configurations that can be chosen. The pneumatic connections depend on the devices and configuration chosen. Refer to the vendor-specific installation manuals for information about these connections.

24V DC

24V DC Common

Safety Reset Fault Reset

Solenoid

Solenoid

1734-IE4S1734-IB8S

1734-OB8S



Configuration

The GuardLogix controller is configured by using the Studio 5000 Logix Designer® application. You must create a new project and add the digital input and output safety modules and the analog input safety module. Then, configure the input modules for the proper input types. A detailed description of each step is beyond the scope of this document. Knowledge of the Logix Designer application is assumed.

1. In the Logix Designer application, create a new project with a GuardLogix controller, and click Finish.

2. Select Time Synchronization for the GuardLogix controller and click Apply.



3. In the Controller Organizer, add the 1756-EN2TR module to the 1756 Backplane and click Create.

4. On the General tab, do the following:a. Name the 1756-EN2TR module.b. Type an IP address for the module (your address may differ from the one below).c. Select Appropriate slot number.d. Click OK.

5. Add the 1734-AENT POINT Adapter under the 1756-EN2TR module, and click Create.



6. On the General tab, do the following:a. Change the name.b. Set the IP address (your address may differ from the one below).c. Set the chassis size to 4 because the adapter accounts for one slot.d. Set Connection to None because there is a direct connection between the GuardLogix controller and the

POINT Guard I/O modules.e. Click OK.

7. In the Controller Organizer, add the 1734-IB8S module under the 1734-AENT adapter, and click Create.



8. In the New Module dialog box, do the following:a. Name the module.b. Change Output Data to None.c. Click OK.

Only the reset buttons are wired to the 1734-IB8S. No test outputs are needed, so the output data is set to None.

9. In the Controller Organizer, add the 1734-OB8S module under the 1734-AENT adapter, and click Create.



10. In the Module Properties dialog box, name the module, and click OK.

11. In the Controller Organizer, add the 1734-IE4S module under the 1734-AENT adapter, and click Create.



12. In the New Module dialog box, name the module, and click OK.

The I/O Configuration should now appear as shown.

13. In the Controller Organizer, right-click the 1734-IB8S module and choose Properties to open the Module Properties dialog box.



14. On the 1734-IB8S Input Configuration tab, change channels 4 and 5 to Standard, and click OK.

The reset buttons are standard inputs. Configuring the channels for standard does not alter the channel characteristics. They can be configured for standard or safety in this application.

15. In the Controller Organizer, right-click the 1734-OB8S module and choose Properties to open the Module Properties dialog box.

16. On the 1734-OB8S Output Configuration tab, change channels 4 and 5 to Safety Pulse Test, and click OK.

Output Channels 4 and 5 are wired to the solenoids that drop out the pneumatic actuators. Pulse testing is not required for SIL 3, but the best practice is to pulse test the wires for shorts because, in this example, there is no feedback from the final elements to detect that fault.



17. In the Controller Organizer, right-click the 1734-IE4S module and choose Properties to open the Module Properties dialog box.

18. On the Safety Input Configuration tab, verify that channels 0 and 1 are configured for SINGLE.

To fully utilize the Dual Channel Analog (DCA) safety instruction in the GuardLogix controller, this example uses a single-channel configuration for the two analog channels wired into the 1734-IE4S module. This allows the DCA instruction to monitor for channel discrepancy.

19. On the 1734-IE4S Input Configuration tab, do the following:a. Change channels 0 and 1 to Safety.b. Change the engineering limits.c. Click OK.

The pressure transmitter provides a 4…20 mA signal and the 1734-IE4S module is sourcing the 24V DC for both two-wire transmitters.

20. On the Alarm tab, do the following:



a. For both channels 0 and 1, enable High and Low alarms.b. Set the under-range and over-range alarm values.c. Click OK.

Program the Logic

If the pressure transmitter is within acceptable range, and there are no faults, then the output-enable signal energizes the solenoids. In this example, if the pressure transmitter signal rises above 19 mA (19000 is the raw data value), then the output-enable signal is dropped out, de-energizing the solenoids. If the output enable drops out, a low-to-high transition of the reset is required to energize it. Both analog-input channel status bits were combined into a single status bit in rung 3 for the input status signal of the DCA instruction.

In this program, the modules are represented as follows:• Module 1 (AENT:1) is the 1734-IB8S.• Module 2 (AENT:2) is the 1734-OB8S.• Module 3 (AENT:3) is the 1734-IE4S.

IMPORTANT The configuration of the final element is beyond the scope of this document. The only requirement is that when the solenoid is de-energized, the valve is placed into the safe state (OFF).



The Configurable Redundant Output (CROUT) instruction was not used because there is no feedback from the final element in this example.

Falling Edge Reset

A falling edge reset is used to make sure that the safety output is not reset if the reset button gets jammed when pressed in, or if the input short circuits. In order for the reset function to occur, the reset input must be pressed and released before the outputs can close.



Calculation of the SIL Level

When properly implemented, this high-pressure safety function can achieve a safety rating of SIL 3, according to IEC 61511.

Safety Function SIL Calculation

To generate the 1oo2 PFD values for subsystems 1, 5, and 6, the vendor provided the dangerous undetected failure rate. A Beta factor of 10% was assumed, and a manual test interval of one year was assumed. For subsystems 2, 3 and 4, Rockwell Automation provided the PFD value.

The 3963 solenoid valve has a useful lifetime of eleven years. Therefore, PFD values for ten-year proof test intervals were used for the logic hardware (the GuardLogix controller and the POINT Guard I/O modules). The sensor and final element hardware (globe valve, pneumatic actuator, and solenoid valve) provide PFD values that require one-year proof test intervals.

The sensor, logic, and actuator subsystems can be modeled as follows.

IMPORTANT The PFD for this complete safety function, with the sensor, logic, and actuator subsystems, is 1.12E-04, which consumes 11.2% of the SIL 3 bandwidth. The SIL for the complete safety function is SIL 3.

Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4 Subsystem 5 Subsystem 6

PMP71 Pressure

Transmitter 1734-IE4S 1756-L71S 1734-OB8S3963

Solenoid Valve

3241 Globe Valve and

3277 Actuator

Input Logic Output



Verification and Validation Plan

Verification and validation play important roles in the avoidance of faults throughout the safety system design and development process. IEC 61511 sets the requirements for verification and validation. The standard calls for a documented plan to confirm that all of the safety functional requirements have been met.

Verification is an analysis of the resulting safety control system. The Safety Integrity Level (SIL) of the safety control system is calculated to confirm that the system meets the required SIL specified.

Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements of the safety function. The safety control system is tested to confirm that all of the safety-related outputs respond appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions in addition to potential fault injection of failure modes. A checklist is typically used to document the validation of the safety control system.

Table 1 - Verification and Validation Checklist

General Machinery Information

Safety Function Name High Pressure Monitoring

BPCS Name

Customer Name

Test Date

Tester Name(s)

Schematic Drawing Number

Controller Name

Safety Signature ID

Safety Network Number(s)

Studio 5000 Logix Designer Application Version

Safety Control System Modules GuardLogix Modules Firmware Revision

GuardLogix Safety Controller 1756-L71S

CompactLogix™ Ethernet Bridge 1756-EN2TR

POINT I/O™ Ethernet Adapter 1734-AENT

POINT Guard I/O Input Modules 1734-IE4S

POINT Guard I/O Output Modules 1734-OB8S

GuardLogix Safety System Configuration and Wiring Verification

Test Step Verification Pass/Fail Changes/Modifications

1 Verify that the safety system has been designed in accordance with the GuardLogix 5570 Controller Systems Safety Reference Manual, publication 1756-RM099.

2 Verify that the safety application program has been designed in accordance with the GuardLogix Safety Application Instruction Set Safety Reference Manual, publication 1756-RM095.

3 Visually inspect the safety system network and verify that the I/O is wired as documented in the schematics.

4 Visually inspect the Logix Designer application program to verify that the safety system network and I/O module configuration is configured as documented.


http://literature.rockwellautomation.com/idc/groups/literature/documents/rm/1756-rm099_-en-p.pdf



5 Visually inspect the Logix Designer application program to verify suitable safety certified instructions are utilized. The logic must be readable, understandable, and testable with the aid of clear comments.

6 Verify that all input devices are qualified by changing pressure through the full range. Monitor the status in the Controller Tags window.

7 Verify that all output devices are qualified by cycling their respective actuators. Monitor the status in the Controller Tags window.

Normal Operation Verification - The GuardLogix safety system responds properly to all normal Start, Stop, and Reset commands.

Test Step Verification Pass/Fail Changes/Modifications

1 Initiate a Safety Reset command. The solenoid valves should energize for a normal run condition. Verify proper statu s indication and safety application program indication.

2 While the system continues to run, generate a High Pressure signal. The solenoid valves should de-energize and open the globe valves for a normal safe condition. Verify proper status indication and safety application program indication.

3 While the system is stopped, and high pressure signal generated, initiate a Safety Reset command. The solenoid valves should remain de-energized for a normal safe condition. Verify proper status indication and safety application program indication.

4 While the system is stopped, generate a Fault Reset command. The solenoid valves should remain de-energized. Verify proper status indication and safety application program indication.

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.

GuardLogix Safety System Tests

Test Step Validation Pass/Fail Changes/Modifications

1 While the system continues to run, create an under-range pressure signal. The solenoid valves should de-energize. Verify proper status indication and safety application program indication. Verify that the system cannot be reset and restarted with fault.

2 While the system continues to run, create an over-range pressure signal. The solenoid valves should de-energize. Verify proper status indication and safety application program indication. Verify that the system cannot be reset and restarted with a fault.

3 While the system continues to run, create a discrepancy between the two pressure transmitters. The solenoid valves should de-energize.


GuardLogix Controller and Network Tests


1 While the system continues to run, remove the Ethernet network connection between the safety I/O and the controller. The solenoid valves should de-energize. Verify proper status indication and I/O connection status in the safety application program.

2 Restore the safety I/O module network connection and allow time to reestablish communication. Verify that the solenoid valves do not automatically energize. Verify proper status indication and safety application program indication. Repeat for all safety I/O connections.

3 While the system continues to run, switch the controller out of Run mode. The solenoid valves should de-energize. Return the key switch back to Run mode. The solenoid valve should remain de-energized. Verify proper status indication and safety application program indication.




Additional Resources

These documents contain more information about related products from Rockwell Automation.

You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of technical documentation, contact your local Allen-Bradley distributor or Rockwell Automation sales representative.


Final Element Output Tests


1 While the system continues to run, short the two output wires together. This generates a pulse test fault. The solenoid valves should de-energize. Attempt a Safety Reset command. The system should not restart or reset. Verify proper status indication and safety application program indication.

Resource Description

GuardLogix 5570 Controller Systems Safety Reference Manual, publication 1756-RM099 Provides information on how to configure, operate, and maintain GuardLogix 5570 controllers.

GuardLogix Safety Application Instruction Safety Reference Manual, publication 1756-RM095

Describes the Rockwell Automation® GuardLogix Safety Application Instruction Set. Provides instructions on how to design, program, or troubleshoot safety applications that use GuardLogix controllers.

POINT Guard I/O Safety Modules User Manual, publication 1734-UM013 Provides instructions on how to install and configure the POINT Guard I/O modules.

Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Provides general guidelines on how to install a Rockwell Automation industrial system.

Safety Products Catalog, publication S117-CA001website http://www.rockwellautomation.com/rockwellautomation/catalogs/overview.page

Provides information about Rockwell Automation safety products.

Product Certifications website, available from the Product Certifications link on http://www.ab.com

Provides declarations of conformity, certificates, and other certification details.



http://www.rockwellautomation.com/literature/


http://www.literature.rockwellautomation.com/idc/groups/literature/documents/rm/1756-rm095_-en-p.pdf

http://www.literature.rockwellautomation.com/idc/groups/literature/documents/rm/1756-rm095_-en-p.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1734-um013_-en-p.pdf

http://www.literature.rockwellautomation.com/idc/groups/literature/documents/in/1770-in041_-en-p.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/ca/s117-ca001_-en-p.pdf

http://www.rockwellautomation.com/rockwellautomation/catalogs/overview.page

http://www.ab.com

http://www.ab.com


Notes:


Allen-Bradley, CompactLogix, ControlLogix, GuardLogix, Guardmaster, LISTEN. THINK. SOLVE, POINT I/O, POINT Guard I/O, Rockwell Automation, Rockwell Software, and Studio 5000 Logix Designer are trademarks of Rockwell Automation, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

CIP Safety and EtherNet/IP are trademarks of ODVA, Inc.

Publication SAFETY-AT148A-EN-P - October 2015 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Documentation Feedback

Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete this form, publication RA-DU002, available at http://www.rockwellautomation.com/literature/.

Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400

For more information onSafety Function Capabilities, visit:http://marketing.rockwellautomation.com/safety/en/safety_functions

Rockwell Automation maintains current product environmental information on its website athttp://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.

http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page

http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf

http://www.rockwellautomation.com/literature/

http://marketing.rockwellautomation.com/safety/en/safety_functions

SIL 3 Safety Function: High Pressure Monitoring with Low ......SIL 3 Safety Function: High Pressure...

Documents

Transcript of SIL 3 Safety Function: High Pressure Monitoring with Low ......SIL 3 Safety Function: High Pressure...