Safety I/O Device Replacement

The process for making a connection to replacement safety I/O is dependent upon multiple factors including the following:
  • Node address
  • Electronic keying compatibility
  • Whether the I/O module configuration is empty (out-of-box) or previously configured
  • The Automatic Configuration setting for the safety controller
ATTENTION:
During replacement or functional testing of a device, the safety of the system must not rely on any portion of the affected device.
The electronic keying configuration affects the process for replacing safety I/O modules. Carefully consider the implications of each of the following electronic keying options.
Electronic Keying Settings
Keying Setting
Description
I/O Replacement Consideration
Compatible Module
Lets the installed device accept the key of the device that is defined in the project when the installed device can emulate the defined device. With Compatible Module, you can typically replace a device with another device that has the following characteristics:
  • Same catalog number
  • Same or higher major revision
  • Minor revision as follows:
    • If the major revision is the same, the minor revision must be the same or higher.
    • If the major revision is higher, the minor revision can be any number.
To maintain the safety signature, the replacement module must meet Compatible Module requirements.
Disable Keying
Indicates that the keying attributes are not considered when attempting to communicate with a device. With Disable Keying, communication can occur with a device other than the type specified in the project.
ATTENTION:
Be cautious when using Disable Keying. If used incorrectly, this option can lead to personal injury or death, property damage, or economic loss.
We
strongly recommend
that you
do not use
Disable Keying. If you use Disable Keying, you must take full responsibility for understanding whether the device being used can fulfill the functional requirements of the application.
Many safety devices do not have a Disable Keying option. Disabled Keying is not recommended for safety applications.
Exact Match
Indicates that all keying attributes must match to establish communication. If any attribute does not match precisely, communication with the device does not occur.
  • To maintain the safety signature, the replacement module must be Exact Match.
  • After a firmware change, keying in the safety application must be updated. Updating cannot be done without removing the controller safety signature.
  • Exact Match is often used to meet specific industry requirements.
Automatic configuration enables the safety controller to establish a connection with replacement safety I/O without online user interaction. Automatic configuration is enabled when there is no controller safety signature. Allowing automatic configuration with no safety signature facilitates commissioning and maintenance activities when the safety controller is not being used for SIL-rated functions. Following I/O replacement, you must validate proper operation before using SIL-rated functions.
Two options for I/O device replacement are available on the Safety tab of the Controller Properties dialog box in the
Studio 5000 Logix Designer®
application:
  • Only Allow Automatic Configuration When No Safety Signature Exists
  • Always Allow Automatic Configuration
Choosing an automatic configuration setting requires an understanding of the safety network topology and the intended use of the safety system during I/O replacement.
Safety I/O Replacement Options
Safety I/O Replacement Options

Only Allow Automatic Configuration When No Safety Signature Exists

This option instructs the safety controller to configure a safety device when the safety task does not have a safety signature, and the replacement device is in an out-of-box condition with no safety network number.
If the controller has a safety signature, the safety controller automatically configures the replacement safety I/O device if the following are true:
  • The device already has the correct safety network number.
  • The device electronic keying is correct.
  • The node or IP address is correct.
To set the proper safety network number (SNN) when a controller safety signature exists, manual action is required to download the proper SNN:
  1. In the
    Studio 5000 Logix Designer®
    , go online with the safety controller.
  2. Open the Module Properties dialog box.
  3. On the General tab, click Browse (…) next to the safety network number.
  4. Click Set to write the SNN to the module manually.
  5. Verify that the Network Status (NS) indicator is alternating red/green on the correct device.
  6. Click Yes on the confirmation dialog box to set the SNN and accept the replacement device.
  7. Follow your company-prescribed procedures to functionally test the replacement I/O device and system.
For more information, follow the safety I/O device replacement procedure in the controller user manual.

Always Allow Automatic Configuration

The controller attempts to configure a replacement safety I/O device automatically if the device is in an out-of-box condition. When a safety network number does not exist in the replacement safety device, and the node number and I/O device keying matches the configuration of the controller.
ATTENTION:
Select the Always Allow Automatic Configuration option only if the entire routable safety control system is not being relied on to maintain SIL 2 or SIL 3 behavior during the replacement and functional testing of a device.The routable safety control system includes any device that can have safety connections opened on it by the controller.
If other parts of the safety control system are being relied upon to maintain SIL 2 or SIL 3, make sure that the Always Allow Automatic Configuration option is not selected.
It is your responsibility to implement a process to make sure that proper safety functionality is maintained during device replacement.
ATTENTION:
To place a device in the out-of-box condition on a safety network when the Always Allow Automatic Configuration option is selected, follow the device replacement procedure in the controller user manual.

Automatic Configuration Use Cases

Consider the following examples of when to use a particular automatic configuration setting.
Only Allow Automatic Configuration When No Safety Signature Exists
Always Allow Automatic Configuration
  • Multi-zone safety system where I/O replacement is required in one zone, while other zones maintain SIL functionality.
  • Multiple controllers with safety I/O on the same routable network.
  • The safety system provides no safety function during I/O replacement:
    • Use of energy isolation or other application-specific procedure
    • Other application-specific safeguards are in place
  • The network for safety I/O communication is isolated from external safety devices.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal