Rockwell Automation ICS AADvance Controller

Rockwell Automation ICS AADvance Controller 

Basic Information and Usage Standards

1. Scope of application and core objectives

Applicable products: AADvance controller series (T9100/T9110 processor modules, T9401/2 digital input modules, etc.) and supporting software (AADvance Workbench 1.4/2.1, AADvance Robust SIS Workstation 2.00), supporting system version 2.011.

Core objective: Define SIF safety application standards (mandatory) and recommendations to ensure that the system meets and maintains the required Safety Integrity Level (SIL), with a maximum support for SIL 3.

2. Key usage requirements

Personnel qualifications: Installation, configuration, operation and maintenance operations must be carried out by professionally trained personnel who are familiar with relevant regulations (such as IEC 61508, NFPA series standards).

Responsibility statement: If the device is used in a manner that does not comply with the manufacturer's regulations, the protective function of the device may become ineffective; Rockwell is not responsible for indirect/consequential damages, and the examples in the manual are for illustration only and do not represent actual application guarantees.

System core features and authentication

1. Core functions and security design

Application scenarios: Suitable for safety critical scenarios such as emergency shutdown (ESD), fire and gas detection, rotating machinery control, burner management, etc., while supporting non safety but business critical control requirements.

Security Capability:

Both fail safe and fault tolerant architectures are supported, and fault tolerance can be realized through two module (1oo2D) or three module (2oo3D) configurations.

Built in comprehensive diagnostic function, capable of detecting hardware/software faults. The faulty module needs to be replaced within the mean time to repair (MTTR) to avoid a decrease in SIL level.

Supports two configurations: "Power Loss Trip (DTT)" and "Power On Action (ETA)", and the number of modules needs to be selected based on SIL level and demand rate (high/low) (see Table 1).

2. Module configuration and SIL compliance requirements

Minimum module configuration for different application scenarios (simplified version of Table 1):

Application type, number of input modules, number of processor modules, number of output modules

SIL 2/3， Low/high demand, DTT 1 2 1

SIL 2， High demand, ETA 2 2 2

SIL 3， High demand, ETA 2 2 2

Note: The single channel digital output module includes a series switch. The DTT scenario supports SIL 3, while the ETA scenario only supports SIL 2; There are no three module output configuration options.

3. International certification and compliance standards

Functional safety certification: Compliant with IEC 61508 SIL 3, certified by an independent certification body.

Hazardous environment certification:

North America: Class I, Division 2, Groups A-D (UL 61010-2-201, CSA C22.2 standard).

Europe/UK: ATEX (DEMKO 11 ATEX 1129711X, Ex ec IIC T4 Gc), UKCA (UL24UKEX2993).

International: IECEx (certificate number IECEx UL 12.0032X).

Other compliance: Complies with industry standards such as EN 50156 (furnace control), EN 54 (fire alarm), NFPA 85/86/87 (boilers/ovens/fluid heaters), etc.

Safety lifecycle and management system

1. Safety lifecycle stages

The full lifecycle defined by IEC 61508 must be followed, with core stages including:

Scope definition: Clearly define system boundaries, interfaces (with processes/third-party equipment), and environmental requirements (such as temperature and power).

Hazard and Risk Analysis: Identify hazardous events, trigger sequences, and risk levels as inputs for safety requirements.

System Design and Engineering: Divide system architecture, define security requirement levels for each component, and refine hardware/software design.

Integration and Verification: The application is integrated with the controller to test and verify whether SIF meets SIL requirements (such as response time and fault handling).

Operation and Maintenance: Develop an operation/maintenance plan to ensure the SIL level is maintained during operation; Changes must be strictly controlled, and suspensions must follow safety procedures.

2. Requirements for Safety Management System

Policy and Planning: Functional safety policies need to be developed to clarify measures, responsibilities, and record management (including change control) for each stage of the lifecycle.

Personnel capability: Personnel qualifications need to be evaluated, including engineering experience, functional safety knowledge, regulatory familiarity, etc. Higher qualification requirements are required for high-risk scenarios.

Functional Safety Assessment (FSA): Led by senior personnel independent of the project, it reviews whether the entire lifecycle work meets the requirements.

System Architecture Design (SIL 2/3)

1. SIL 2 architecture

Fault safety architecture: single input (1oo1D), dual processor (1oo1D degraded), single output (1oo1D), triggering a safe state in case of a fault.

Fault tolerant input architecture: dual/triple input (1oo2D/2oo3D), dual processors, single output. When a single input module fails, it will operate in a degraded state while still maintaining safety functions.

High demand architecture: dual input, dual processor, dual output, ensuring that faulty modules are replaced within MTTR to avoid SIF shutdown.

2. SIL 3 architecture

Fault safe I/O+fault-tolerant processor: single input/output, dual/triple processor (1oo2D/2oo3D), downgraded in case of processor failure, dual fault triggers safe state.

Fault tolerant I/O architecture: dual input/output, dual processors, both input/output modules support 1oo2D degradation, suitable for high safety requirements scenarios.

TMR architecture: three inputs, three processors (2oo3D), dual outputs, with the strongest fault tolerance. A single module failure does not affect system operation. When there are two failures, it will be downgraded, and when there are three failures, it will trigger a safe state.

3. Secure network communication

SNCP protocol: SIL 3 certified "Black Channel" protocol, supports Ethernet transmission of secure data, achieves data exchange between controllers through "variable binding", and can be configured as single network (fail safe) or dual network (fault-tolerant).

Peer to Peer communication: Supports SIL 3 data transmission between AADdistance and Trusted controllers, based on master-slave mode, and recommends using redundant networks to ensure availability.

Installation and environmental requirements

1. Non hazardous environment

Environmental conditions: temperature -25 ° C~+60 ° C, pollution level ≤ 2 (IEC 60664-1, only non-conductive pollution, occasional condensation); The burner management application requires an enclosure protection level of IP40 (indoor)/IP54 (outdoor).

Installation requirements: The module should be installed vertically (ensuring natural heat dissipation), DIN rail or wall mounted, without the need for forced air cooling.

2. Hazardous environment

Special requirements:

The enclosure protection level is ≥ IP54 (IEC 60079-0/7) and must be marked with "Do not open when powered on".

Grounding wire cross-sectional area ≥ 3.31mm ², wire temperature rating ≥ 85 ° C, only supports vertical installation.

The temperature range is the same as non hazardous environments, and the pollution level is ≤ 2.

Operations and Security Assurance

1. Key daily maintenance items

Fault handling: When the processor/input/output module fails, it needs to be replaced within MTTR; If not replaced in a timely manner, the relevant SIF needs to be shut down (unless there are compensatory measures in the SRS document).

Calibration and testing: Regularly calibrate sensors/actuators, test SIF response time (≤ 1/2 of process safety time PST), and archive test records.

Backup and Update: Regularly backup system configuration (AADvance Workbench/SIS Workstation project) and test backup effectiveness; Firmware updates require the use of the ControlFLASH tool.

2. System security measures

Network security: it is forbidden to connect to the unprotected Internet; Computers need to have firewalls, antivirus software, and password protection enabled; The software license USB key needs to be properly kept.

Port security: Some Ethernet ports (such as TCP 1132, UDP 2010) are open by default, and unused ports need to be closed through a firewall (refer to the configuration guide).

Program Security: The application requires password protection, and the controller needs to insert the "Program Enable Key" to modify the configuration; It is prohibited to force I/O points during operation, and it is recommended to use the program's "override" logic for maintenance.

Supporting documents and resources

1. Key related documents

Document Name Usage Description

AADvance Controller System Build Manual (ICSTT-RM448) System Assembly, Startup, and Operation Verification

AADvance PFH and PFDavg Data (ICSTT-RM449) Fault Probability (PFH/PFDavg) Data and Calculation Example

AADvance Troubleshooting and Maintenance Manual (ICSTT-RM406) System Maintenance, Troubleshooting, and Repair

2. Support channels

Technical support: Get help through rok.auto/support, register an account to subscribe to product security notifications.

Document download: Download the latest manuals and firmware from Rockwell Literature Library (rok.auto/iterative) or Product Compatibility and Download Center (rok.auto/pcdc).

Key Terminology (Glossary Simplified)

SIL (Safety Integrity Level): Safety Integrity Level, levels 1-4, with SIL 3 being the highest level supported by the manual.

PST (Process Safety Time): The maximum time for triggering a hazardous event when a hazardous state exists and there is no protection. The controller defaults to PST=2500ms and needs to be adjusted based on sensor/actuator delay.

MTTR (Mean Time To Repair): The average time to repair, during which faulty modules need to be replaced to maintain SIL.

1oo2D/2oo3D: Fault tolerant configuration, 1oo2D (2 out of 1 with diagnosis), 2oo3D (3 out of 2 with diagnosis).