RSLogix5/500 View Only option?

As an engineer at a small manufacturing company, I would like to train a few maintenance people and operators on the basics of PLC troubleshooting. Using RSLogix5 or 500, I would like to have them connect to our live process and view or troubleshoot the logic. My question: Is there a way to restrict RSLogix to "View Only" so the user can browse through the logic, examine data, but not be allowed to make any changes to any of the variables or logic? This seems like it would be a useful option, as most troubleshooting does not require making any changes.

Its called "RSLADDER", contact your AB representative.

Thanks Mickey,
I've tried RSLadder which came bundled with RSLinx Pro, but it seems to be unstable, cumbersome and somewhat limited compared to RSLogix. If the same could be done within RSLogix, then it would be a natural step to allow "authorized" users to advance to making actual changes and learning to program within the same environment.

There are some file properties that may help. Right click on the ladder file you want to protect. I have never used this so I'm not sure if its what you want.

See below for exerts from the online help file.

RsLogix500:

Allow Online Edits
Indicate here if you want to be able to edit the program file online. When this check box is selected it means that online editing of the file is allowed. (This field is invalid for the MicroLogix controllers, with the exception of the MicroLogix 1100 and MicroLogix 1400.)

Click to expand...

RsLogix5:

Privileges

You can modify read and write privileges for program files. These privileges limit the access of users logging in under a specific class (1-4) from viewing or changing ladder logic. Two protection options determine whether a user can read or write to a program file. These include the users' privilege class and whether read and write privileges have been assigned to the program file itself.
Select program file Read or Write protection for each login class. An R means you can read the file, a W means you can write to the file. If you uncheck either the R or W for a class, that class will be denied read or write privilege.

Privileges can only be changed during offline programming. Remember that removing both the read and write access from a class prevents that class from accessing the program file.

Rockwell Software Inc., 1997, 1998, 1999, 2000

Click to expand...

Mickey,
Thanks again.
I have worked with PLC5's and SLC500's for a number of years, but have only made use of the Master Passwords if I wanted to lock others out.
I just spent the last few minutes experimenting on a PLC5 with the Class 1-4 login priviledges, and it appears as if those options might do the trick. As a default, a typical PLC5 program is setup to automatically log you in as a Class 1 which has all admin and other privileges turned on. After logging in you have the option to change to a different Class. By changing the priviledges for Class 4 to be read only and setting the default login to Class 4, then anytime someone pulls up the file or connects to the PLC, they will automatically be locked out of any preset chosen writes. This would work great for anyone when first connecting to a PLC, RSlogix would default to read only, and allow them read access only for troubleshooting. This would even be helpful for us admin types to keep us from accidently making any unwanted change to a live process. Then if a change needed to be made, the user could login on a different class that allowed the appropriate writes.

As an example, the classes could be set up as follows.

Master password - required for all people making a connection.
Class 4 - Defaults when connecting, Allows Read Only Access.
Class 3 - Allows some data tables and presets to be changed.
Class 2 - Allows some ladder files to be changed.
Class 1 - Unlimited access to data, ladders, and configuration.

These are just my quick ideas, but I think we are on the right track.

Thanks for the input
Rollie

Maybe something new

I'm not sure what version of Logix5 you are using, but in previous versions I was not aware of any login options, or the 1-4 categories you speak of. The last time I worked with a PLC5 or a SLC was a year ago. As of that time, we deployed a site solution called Factory Talk Asset Center. In it you were allowed to create permissions via SQL logins for who could do what which each PLC, and from what computers. This solution only worked for networked PLCs. Perhaps the logins you're talking about are new in a later version of the software.

I'm currently running version 7.2 RSLogix5, but I seem to remember seeing the Class 1-4 notes before I upgraded. Not sure what I had previously.

this has to be quick – late for supper ...

I've had customers ask me to help set up those "passwords and privileges" before ... my first question is usually: "How are you planning to discipline the workers who violate the security policies?" ... the answer usually boils down to "there's really nothing that we CAN do about it" ...

well, then my next advice is to save your time and don't mess with the passwords, etc. ...

the point is that the software is really pretty good at doing its little job – but the human beings are lousy ... within a few weeks of setting everything up, you'll open the PLC enclosure and find all of the passwords written with a magic marker right next to the PLC ... open the laptop and you'll find a yellow sticky note with all of the passwords ... look inside the toolbox cover ... etc. ... etc. ... etc. ...

if this is acceptable, then party on ... but if you're not careful, you're just going to do a LOT of extra work keeping the security system maintained – and there'll be more loopholes in it than you can shake a stick at ... within a very short time, "hacking the system" becomes a challenge that the workers really enjoy – and passwords will generally be shared among the masses ... if there's no real punishment for violations, then the system is quite probably just doomed to failure ...

please let us know how this works out for you ... the question does come up from time to time ...

Hi Ron,

I appreciate your input.
I've heard good things about your wisdom and experience.

In the past with most of our other "high-tech" gadgets, the form of security used has mostly been knowledge. If you know how to get in and do something, you can. The systems are mostly protected from unauthorized users by the fact that others usually do not have the knowledge on how to get in and do anything. For the most part anyone that knows how to get into the systems, is highly skilled and is authorized to get in when they need to. Even now that most of the PLC's are on the company network, the potential is there for someone to get on a pc, run the appropriate software and gain access to a running process. This doesn't happen, because no one has a clue how to do it.

Not only is our primary plant control systems on a network, but we are also connected to plants in other states with identical machines. So far, my implementaion of passwords has been for Safety reasons and not Security. The passwords chosen have been more for machine identification then for user level authority. When I connect to a machine, I am comforted by the password validation as it confirms to me I have connected to where I really want to be.

After reading your suggestions, which I really do appreciate, I'm thinking some kind of Class Level logins could still be useful. I like the idea of connecting in a default "Read Only" mode which will allow 98% of users to do the troubleshooting they need to do, then if they need to make a register change, force an I/O or make logic changes, they still can do that after they have entered a different login password. This extra step adds a level of Safety that even the top authorized personnel could benefit from.

As for writing the access codes and passwords where they can be seen, the system as I described would be ok with that. In fact I currently have a line of 4 identical bagging machines numbered 1 thru 4. When connecting remotely using RSLogix, I am required to enter a password such as 1111, 2222, 3333, or 4444 depending on which machine I'm connecting to. I am sure this extra step will prevent a potential injury of a local operator someday. There is also a TCAM module connected to each machine directly and I have posted the corrosponding xxxx password next to it which the machine operator is required to enter anytime they make adjustments to some of the machine parameters.

With a new wave of trainees coming into our system, I would like to promote getting online to our live processes and allowing them to monitor the logic and practice troubleshooting. At this point I am comfortable doing that with the above proposed Password and Class logins.

Please continue to comment as I value others views on these matters.
Thanks
Rollie

How about put the keyswitches in Run instead of RunP.

Let us know

Rollie,

It sounds like you are networked far greater than I anticipated, based on your first post. If you have networked controllers, my guess is that the maintenance staff you are thinking of allowing to view the PLCs also have SQL logins to corporate PCs for other purposes, such as email. If the password route is available to you, I'd like to know that for sure, for future reference. That said, if it is not, or if you want complete control, I encourage you to look at the Asset Center solution. Not only does the solution allow you to set permissions(and they are broken down to various tasks nicely), but the system also logs the actions, and provides a record of who opened what files, went online with what controllers, installed what logic when, etc. It makes for a great tracking system should there be ill consequences from enabling your maintenance staff to access the PLCs. Beyond this, I encourage you to do this, as an empowered maintenance staff will in the long run have a positive impact on your downtime, as well as making less early AM phone calls to you. As I said before though, please confirm if you are able to locally set various stages of access. My gut tells me this is not an option, because if it were, it would kill a major selling point of the Asset Center package.

Paul B said:

How about put the keyswitches in Run instead of RunP.

Click to expand...

Those little Keys are like passwords, when you first open the box after in arrives there are two keys. The next time you open the box to install the controller there is only one key.

We used to remove the keys and leave them in Run, but after we networked them, we found too many cases where a data table needed resized or some other configuration changed needed and it was a hassle to go out to the cabinet , put in a key and go to Prog or Rem mode. Now we leave the keys in all the processors or leave them all in Remote.

Paul B said:

How about put the keyswitches in Run instead of RunP.

Click to expand...

Yup. That's the best way.

We had some lazy engineers that would make changes from the desk because they didn't want to walk down to the floor. One guy caused a wreck on one of the blankers (think of large sheets of steel flying around) when he made changes from his desk.

I was very unpopular for a time when I got the electricians to put the keyswitch in the Run position on any PLC that they came across (they weren't restricted to PLCs that they were working on, any PLC was fair game).

Besides the obvious safety reasons for doing this, I was fed up with getting beat up by electricians (who knew me better than that) accusing me of making changes at my desk because some of my partners did.

It wasn't popular with my coworkers (or CCRW for that matter), but it pretty much put a stop to "phantom" crashes, and it improved communications between engineering and skilled trades.