Edit a Safety Application

The following rules apply to changing your safety application program:
  • Only authorized, specially trained personnel can make program edits. These personnel must use all supervisory methods available, for example, using the controller switch and software password protections.
  • When authorized, specially trained personnel make program edits, they assume the central safety responsibility while the changes are in progress. These personnel must also maintain safe application operation.
  • When you edit online, you must use an alternate protection mechanism to maintain the safety of the system.
  • You must sufficiently document all program edits, which include the following:
    • Authorization
    • Impact analysis
    • Execution
    • Test information
    • Revision information
  • If online edits exist only in the standard routines, those edits are not required to be validated before returning to normal operation.
  • You must make sure that changes to the standard routine, regarding timing and tag mapping, are acceptable to your safety application.
  • You can edit the logic portion of your program while offline or online, as described in the following sections.

Offline Edits

When you make offline edits to only standard program elements and the safety signature matches following a download, you can resume operation.
When you make offline edits to the safety program, you must revalidate all affected elements of the application, as determined by the impact analysis, before you resume operation.

Online Edits

ATTENTION:
Performing online edits to logic, data, or the configuration can affect the safety functions of the system if the edits are performed while the application is running. Online edits should only be done if necessary. If the edits are not performed correctly, they can stop the application. You must use alternative safety measures and constraints during online edits.
Online edits in standard routines are unaffected by the safety-locked or safety-unlocked state.
The following requirements apply to online edits of safety logic:
  • The controller must be safety-unlocked and unsigned. If the controller is locked with safety edits, you must unlock the controller to assemble or cancel the edits.
    You assemble edits to make online edits permanently change the controller program.
    You cancel edits to reject and delete any unassembled online edits.
  • For safety routines, the controller cannot be locked when there is a pending edit, but it can be locked when there is a test edit.
    A pending edit is a change to a routine that has been made in the Studio 5000 Logix Designer® application, but has not yet been communicated to the controller by accepting the edit.
    A test edit is an online edit that has been accepted and causes the controller to execute the new, edited version of logic. The original, unedited version of logic is still in controller memory, but is not executed.
    IMPORTANT: When you change certain configuration operands of a safety instruction, you must transition the controller to Program mode and back to Run mode before the changes take effect. For affected operands, see the
    Logix 5000®
     Controller Safety Application Instruction Set Reference Manual, publication 1756-RM095.
You cannot edit standard or safety Add-On Instructions when the controller is online.
When you make online edits to the safety program, you must revalidate all affected elements of the application, as determined by the impact analysis, before you resume operation.
Limit online edits to minor program modifications, such as setpoint changes or minor logic additions, deletions, and modifications.
The safety-lock and safety signature features of the controller affect online edits. For more information, see Lock the Controller and Generate the Safety Signature.

Modification Impact Test

Any modification, enhancement, or adaptation of your validated software must be planned and analyzed for any impact to the functional safety system. All appropriate phases of the software safety lifecycle must be conducted as indicated by the impact analysis. If your validation plan requires cold start or warm start testing of the modification, this can be achieved by transitioning from Program mode to Run mode. Special attention should be paid to the impact of the modification on safety task initialization as described in Custom Tag Initialization During Prescan.
At a minimum, you must perform these actions:
  • Perform functional tests of all impacted software.
  • Document all modifications to your software specifications.
  • Document all test results.
For detailed information, see IEC 61508-3, Section 7.8 Software Modification.
Online and Offline Edit Process
Online and Offline Edit Process
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal