Firmware Upgrade Guidelines for Safety Controllers

IMPORTANT:
You cannot update a controller that is safety-locked.
The IEC 61508 functional safety standard requires impact analysis before you upgrade or modify components in a certified, functional safety system. This section provides high-level guidance on how you can perform the impact analysis for safety controller hardware/firmware upgrades. Reference the standard to make sure you fulfill all requirements as they relate to your application.
When you upgrade controller firmware to a newer version, consider the following:
  • All major and minor firmware releases for safety controller systems are certified for use in safety applications. As part of the certification process,
    Rockwell Automation®
     tests the safety-related firmware functions, such as the
    CIP Safety
     communication subsystems, embedded safety instruction execution, and safety-related diagnostic functions. The firmware release notes identify changes to safety-related functions.
  • Perform an impact analysis of the planned firmware update:
    • Review of the firmware release notes for changes in safety-related functionality.
    • Review of hardware and firmware compatibility in the Product Compatibility and Download site to identify potential compatibility conflicts.
    • Any modification or enhancement of your validated software must be planned and analyzed for any impact to the functional safety system as described in the 'Edit Your Safety Application' section in the safety reference manual for your controller.
  • You must remove and regenerate the safety signature as part of the firmware update process.
IMPORTANT:
When updating firmware revisions, the safety logic compiler can change. You must validate that the application compiles correctly when making firmware revisions.
For product change management guidelines and product version management definitions, see System Security Design Guidelines Reference Manual, publication SECURE-RM001.
For example:
  1. From the Product Compatibility and Download Center;
    1. Review all firmware release notes, starting with the original firmware revision through the new firmware revision, to identify any changes that impact the safety- related implementation of the application.
    2. Review hardware and firmware compatibility to identify any restrictions between the original system components and the new system components.
  2. Perform a hazard and risk assessment for any changes that are identified during the impact analysis and determine what additional testing is necessary.
  3. Perform the online and offline edit process that is described in the safety reference manual for your controller. You can restrict the 'Test the Application' block to the testing identified by the hazard and risk assessment.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal