Safety Signature Validation in Logix SIS

Safety signatures in redundant controllers must match and are validated by Logix SIS during these operations:
  • Safety signature generation on a synchronized controller
  • Qualification of the redundant chassis
  • Download of a safety application with a safety signature
IMPORTANT:
When you perform the Redundancy System Update (RSU) process, the change in firmware revision causes a safety signature mismatch on the primary and secondary controllers.
After an online firmware update, it is your responsibility to validate the new safety application on the secondary controller before switching control to the secondary controller.

Validation During Safety Signature Generation

When you generate a safety signature on a synchronized controller, both controllers in the redundant chassis pair generate safety signatures and cross-check to validate that the safety signatures match.

Validation During Redundant Chassis Qualification

If a safety signature exists in the primary controller during qualification, the safety signature undergoes the following validation process:
  1. The unqualified primary controller transfers its safety signature to the unqualified secondary controller.
  2. The unqualified secondary controller independently validates the safety signature that is received from the unqualified primary controller.
  3. If the unqualified secondary controller cannot validate the received safety signature independently, then the qualification process ends and neither controller becomes qualified. Qualification is aborted and the primary controller continues to operate without a qualified secondary controller.

Validation During Safety Application Download

If a safety signature exists in a safety application that you download to a qualified primary controller, the safety signature undergoes the following process:
  1. The qualified primary controller attempts to validate the safety signature:
    • If the primary controller validates the safety signature, it downloads the safety application and then transfers the safety signature to the secondary controller.
    • If the primary controller cannot validate the safety signature, then it does not download the safety application. The controller remains in PROG mode with no application.
  2. When the qualified secondary controller receives a safety signature from the qualified primary controller, it attempts to validate the safety signature independently:
    • If the secondary controller successfully validates the safety signature, then it downloads the safety application.
    • If the secondary controller cannot validate the safety signature, then the safety application remains downloaded only on the primary controller and does not download to the secondary controller. The primary controller remains in PROG mode.
IMPORTANT: If a safety signature fails validation, then neither standard nor safety logic within the safety application downloads.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal