44 Rockwell Automation Publication 1756-RM012B-EN-P - April 2018
Chapter 5 Characteristics of Safety Tags, the Safety Task, and Safety Programs
• Sufficiently document all safety-related changes that are made via the 
HMI, including the following:
–Authorization
–Impact analysis
–Execution
–Test information
– Revision information
• Process Safety changes to the safety-related system must comply with 
IEC 61511 requirements.
• Machine safety changes to the safety-related system must comply with 
IEC 62061 requirements.
• The developer must follow the same sound development techniques and 
procedures that are used for other application software development, 
including the verification and test of the operator interface and its access 
to other parts of the program. In the controller application software, 
create a table that is accessible by the HMI and limit access to only 
required data points.
• Similar to the controller program, the HMI software is secured and 
maintained for SIL-level compliance after the system has been validated 
and tested.
Safety Programs
A safety program has the attributes of a standard program, except that it can be 
scheduled only in the safety task. A safety program can also define 
program-
scoped safety tags. A safety program can be scheduled or unscheduled.
A safety program can contain only safety components. All routines in a safety 
program are safety routines. A safety program cannot contain standard 
routines or standard tags.
Safety Routines
Safety routines have the attributes of standard routines, except that they can 
exist only in safety programs, cannot read or write standard tags, and can only 
be done in Ladder Logic. One safety routine must be designated as the main 
routine in each safety program. Another safety routine can be designated as the 
fault routine for that safety program. Only safety-certified instructions are used 
in safety routines.
For a listing of safety instructions, see Appendix A
 on page 69.