Connect to Safety I/O

Before you use safety I/O, do the following:
  • Read, understand, and follow all safety information in the product documentation for those products.
    As the range of products using the
    CIP Safety
     protocol continues to expand, there are variations to the typical safety I/O configuration steps. Product specific procedures and requirements can include the following:
    • Reset of ownership
    • Setting the safety network number
    • Configuration signature generation
    • Requested packet interval (RPI) limits
    • Device-specific configuration settings
    For more information, see the user manual for your I/O device.
  • Commission all devices with a node or IP address and communication rate before their installation on a safety network.

Network Address Translation

Network Address Translation (NAT) translates one IP address to another IP address via a NAT-configured router or switch. The router or switch translates the source and destination addresses within data packets as traffic passes between subnets. This service is useful if you must reuse IP addresses throughout a network. For example, NAT makes it possible for devices to be segmented into multiple identical private subnets while maintaining unique identities on the public subnet, such as for multiple identical machines or lines.
This section only applies to safety users where the controller and the devices it talks to are on separate sides of the NAT-configured router or switch.
With
CIP Safety
, the IP address of the device is part of the unique node reference that is part of the protocol. The device compares the IP address portion of the unique node reference in
CIP Safety
 packets to its own IP address, and rejects any packets where they do not match. The IP address in the unique node reference must be the NAT'ed IP address. The controller uses the translated address, but the
CIP Safety
 protocol requires the actual address of the device.
If you use NAT to communicate with a
CIP Safety
 device, use the Advanced Ethernet Settings when you configure the IP address and enable 'Module and controller communicate through Network Address Translation (NAT) devices.'.

Safe State

Safety I/O has most of the attributes of standard I/O except it features mechanisms that are certified to SIL 2 or SIL 3 for data integrity. A safety input is a combination of produced and consumed safety tags, mapped safety inputs, and inputs from safety modules.
Before you use safety I/O, do the following:
  • Read, understand, and follow all safety information in the product documentation for those products.
  • Commission all devices with a node or IP address and communication rate before their installation on a safety network.
Safety I/O devices, like sensors and actuators, can be connected to safety input and output modules. The controller monitors and controls the devices. For safety data, I/O communication is performed through safety connections by using the
CIP Safety
 protocol. Safety logic is processed in the controller.
ATTENTION:
  • The safe state of the outputs is defined as the off state.
  • The safe state of the module and its data is defined as the off state.
  • Use safety I/O modules only in applications where the off state is the safe state.
Safety I/O treats the following as the safe state:
  • Safety outputs: OFF
  • Safety input data to controller: OFF
Safe State
Safe State
IMPORTANT: If you inhibit a safety module from transitioning to a safe state when a fault occurs because an I/O connection is lost, you accept responsibility for any consequences that result from your decision to inhibit. We recommend that you use other means to maintain the safe state if you inhibit the safety module from transitioning to a safe state.

Configuration Signature and Ownership

One controller owns each safety I/O device in a non-redundant safety system. Multiple controllers and multiple safety I/O devices can be used in chassis or on networks. When a controller owns an I/O device, it stores the configuration data that you define for that device. This configuration controls how the devices operate in the system.
From a control standpoint, one controller controls safety output devices. One controller also owns each safety input device. However, safety input data can be shared (consumed) by multiple controllers.
Configuration Signature and Ownership
Configuration
Description
Configuration Signature
Each safety device has a unique configuration signature that defines the module configuration. The configuration signature includes the following:
  • ID number
  • Date
  • Time
The configuration signature is used to verify a module’s configuration. The signature can only be considered “verified” (and configuration locked) after user testing.
Configuration Ownership
The connection between the owner-controller and the safety module is based on the following:
  • Safety module number
  • Safety module network number
  • Controller node or slot number
  • Controller safety network number
  • Path from the controller to the safety module
  • Configuration signature
If any differences are detected, the connection between the owner-controller and the safety module is lost, the yellow yield icon appears in the controller project tree.
When a controller owns the I/O module configuration, other controllers can listen to the input module. In this case, the module configuration signature in the Logix Designer project for any listening controller must match the one in the owner-controller project.
  • If the safety module is configured for inputs only, you can copy and paste the configuration signature from one project to the other.
  • If the safety module has safety outputs, for example, the configuration signature parameter is disabled.

Safety Rating Considerations

Input and output configurations can affect safety ratings.
Safety Rating Considerations
Configuration Type
Description
Input
Some safety input modules have safety inputs that can be configured as single or dual (Equivalent or Complement) point operation types. The selected type configures the safety module to view the inputs individually or as a pair:
  • A single configuration is appropriate for single channel inputs or dual channel inputs that are monitored by a dual channel safety instruction like the Dual Channel Stop (DCS).
  • A dual configuration configures dual channel discrepancy checking to take place at the module level. The channel data from the input module is sent to the controller as either the safe state or energized state. For example, equivalent inputs are either both low (0) or both high (1).
The method of monitoring discrepancy has no impact on the safety rating. The main effect is the availability of diagnostic information:
  • Module level diagnostics—Status indicators, input status bit, and application code can be written to message the I/O module to monitor 1 bit for a discrepancy fault.
  • Dual channel instruction diagnostics—Fault codes include channel-specific discrepancy and whether the cause of a discrepancy is a delay or a change in state to a specific channel.
Output
For output modules, sourcing safety outputs can be configured as point operation type single or dual. The selected type configures the safety module to treat the outputs individually or as a pair:
  • A single configuration allows the outputs to turn on and off individually and to fault independently.
  • A dual configuration verifies that safety task logic operates both outputs as a pair. If one output has a module fault, the other output goes to the safe state.
Bipolar outputs have no configuration for point operation type and must operate as a sinking sourcing pair.
The point operation type affects the PFH safety rating of the module. The PFH is the average frequency of a dangerous failure per hour.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal