Appendix c, Migrating a cs300 controller, 1 overview – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 76 of 103

APPENDIX C

9. MIGRATING A CS300 CONTROLLER

9.1 OVERVIEW

You can migrate the I/O of an existing CS300 controller to a Trusted

TM

system. The

migration process lets you retain the hardware and wiring of the existing I/O, and take
advantage of the benefits of a Trusted

TM

system.

This appendix defines how to safely migrate an existing CS300-based system to a
Trusted

TM

system for a Safety Instrument Function while retaining the DIN19250/AK6

certification of the original system. The migration of a CS300 controller described here
is suitable for low demand applications.

Note: These instructions apply to inputs and outputs used for Safety Instrumented
Functions. Where I/O points are used for only monitoring, or only redundant indication,
these instructions do not necessarily apply. For guidance on how to migrate a CS300
system for non-safety applications, refer to application note AN-T80014.

The migrated system uses a T8100 Trusted

TM

chassis and its T8110B TMR processor

module running an updated application, together with three T8162 CS300 bridge
modules (installed in the original CS300 primary rack) and associated cabling. The
migrated system retains the original CS300 rack(s), I/O modules and field wiring, but
the CS386 integrated computer control boards (ICCBs) are removed and the original
application is no longer used.

The hardware changes are summarized as follows. The three ICCBs are removed,
and three T8162 CS300 bridge modules are fitted in their place. A small pcb is fitted to
rear of the CS300 rack, and the rack is connected to the Trusted

TM

chassis by a ready-

made cable assembly. The original field wiring remains unchanged. It is recommended
that the Trusted

TM

chassis is installed close to the original CS300 primary rack. This

will make operation and maintenance easier.

The software changes are more complex. In particular:
1. The existing application must be recreated to run on the Trusted

TM

system.

2. The new application has to retain the safety integrity of the original system. The

AK6 standard of the original controller was the predecessor to the SIL3 rating of
IEC 61508, and while the Trusted

TM

controller is certified to SIL3, the original I/O

will remain AK6.

3. The new application needs to include diagnostic functions to replicate diagnostic

functionality which was built into the original application.

4. The new application must monitor the state of the TM118-TWD watchdog module.

If the watchdog module times out, the affected outputs must be latched into the
tripped state. See section 9.6.7.