Guardlogix and Safety Partner

BachPhi

Member
Join Date
Dec 2007
Location
Los Alamos
Posts
640
1756-L6xS and 1756-L7xS can not operate without a Safety Partner and is SIL3 level.

However, 1756-L8xS can operate without a Safety Partner and is SIL2, when added a SP, it will become SIL3 level.

so what does this mean? One can go cheap and and offer different options with SIL2 and SIL3 level, and ended up like Boeing did to 737 max?
 
Last edited:
Well, before choosing hardware, you have to do a HAZOP/risk assessment and then calculate what SIL level you need to achieve a tolerable risk.
 
No disrespect intended.

If you need to ask, you are already outside of your comfort zone.

But as the gentleman above me states, the whole process of calculating what SIL level you need, starts with the risk assessment.

You don't specify what SIL level you need, the risk assessment dictates to you.

Comprehensive paper on the subject: http://www.hse.gov.uk/research/rrpdf/rr216.pdf

This is for the EU mind, it's probably different for the USA, you may get away with putting some yellow / black tape on it as long as you're covered for arc'ing!
 
Last edited:
I am certainly out of my comfort zone as much as you intended to, it's Okay with me.
But I wasn't really asking the question that you were trying to spin on.

Anyway, I am pretty certain that Boeing engineers also performed their due diligence of risk assessment on the 737 MAX, maybe much more than what you are capable of,
and yet they were somehow being offered it as an extra option.
Since you are such a safety expert, perhaps you can share your opinion on this matter.
 
I guess you should have written "Boeing 737 Max and MCAS" in the title for the topic instead of "Guardlogix and Safety Partner".

We're several people on this forum working with safety system design/programming/whatnot on a daily basis. But I think you won't find someone with a direct insight in the Boeing disaster that will openly write about it here (I might be wrong..)

There's lots to read about it online if you're interested.

https://reports.aviation-safety.net/2018/20181029-0_B38M_PK-LQP_PRELIMINARY.pdf
https://reports.aviation-safety.net/2019/20190310-0_B38M_ET-AVJ_PRELIM.pdf
https://www.bbc.com/news/world-africa-47553174

https://www.seattletimes.com/busine...-max-system-implicated-in-the-lion-air-crash/

"Flawed analysis, failed oversight", I guess sums it up.
 
Last edited:
I am not interested in reading thru a bunch of reports of the details why the 737MAX crashed, the reason I mentioned it
because of the incident happened recently and because one of its safety feature was being OFFERED as an extra option to buy.

The analogy between Boeing and AB is that now the AB newer product, the L8xS is being OFFERED with more choices.
When their early product L6xS was only offered at SIL3 level, one would expect that their later product would be something better than the older product,
like SIL3 & SIL4, but not the opposite way, that is being OFFERED as a choice with lower SIL level.
 
I am not interested in reading thru a bunch of reports of the details why the 737MAX crashed, the reason I mentioned it
because of the incident happened recently and because one of its safety feature was being OFFERED as an extra option to buy.

The analogy between Boeing and AB is that now the AB newer product, the L8xS is being OFFERED with more choices.
When their early product L6xS was only offered at SIL3 level, one would expect that their later product would be something better than the older product,
like SIL3 & SIL4, but not the opposite way, that is being OFFERED as a choice with lower SIL level.
You're missing the point, AB ain't gonna do your risk assessment. Boeing failed their risk assessment.

Risk assessment gives you required SIL. AB Will sell all levels of SIL through the product line. Most won't put a higher SIL than required because it will cost more.

Boeing is equivalent of integrator. AB is in the case of selling safety controllers a parts manufacturers not responsible for someone else's system design.

But if AB would say something is SIL3 but later proves it's not, they would be in trouble.

And also, just buying a SIL3 controller does not make your design and programming SIL3....
 
Last edited:
I'm sorry. You're right.

By offering an end customer a "not safe enough" design you can definitely end up like Boeing.

The extra safety features offered could possibly have aided the situations but were not the root cause of the accidents. These type of accidents could have happened anyway because of other design flaws which were the root cause.
 
Last edited:
I will preface this by saying I don't know exactly what AB intended for the L8 series but having used L6xS and L7xS processors they are a bit different in how they work versus 'vanilla' L6 and L7 processors.

The main difference is 'vanilla' processors are only rated for SIL 2 the same as an L8xS is standalone. However, each has a safety task that can be locked and signed to prohibit changes. Plus the safety task is essentially buffered in that all inputs are read and stored prior to any logic operations then written to the outputs after all logic is completed. What operations that can be used in safety task are also limited. The memory of the safety task in also separate. Amy of those could be compelling reasons to use an L8xS standalone.

As for comparisons with Boeing. I don't quite think they are the same. Although I'm sure there may be some confusion that some people will think they are getting SIL 3 safety with just a single processor.

Boeing was more like an immense a la carte of features more akin to buying individual instructions that may or may not work independently. Plus having some instructions that used to work on older processors not behave the same. Plus adding a new system that disregards your inputs if it thinks it detects a problem.
 

Similar Topics

Hey everyone, I have a problem that is the CROUT keeps faulting out with a "16#5003 20483 Feedback 1 and Feedback 2 turned ON (1) unexpectedly."...
Replies
3
Views
1,237
I have been searching for more information regarding qualifying standard tags in a safety task and all I have found is a quick excerpt in one of...
Replies
5
Views
1,210
Hi all, we have a 1768 compactlogix 5345s safety controller firmware 20.14. it is randomly giving a major fault and a minor fault. the minor...
Replies
4
Views
1,217
Hi All, I've been using this processor that communicates with safety I/O (attached to 1734-AENT) over 1756-EN2T Ethernet card. The client now...
Replies
4
Views
1,915
Hi all, We tried to setup the hardware onto a 10 slot rack as follows, PS Slot 0: 5580 controller Slot 1: Safety Partner Slot 2: Safe Inp Slot...
Replies
8
Views
2,661
Back
Top Bottom