Automation, Functional Safety. Assessment of the Point Guard Analog Input Safety Modules 1734-IE4S and 1734-IE4SXT Rockwell Automation, USA

Automation, Functional Safety Assessment of the Point Guard Analog Input Safety Modules 1734-IE4S and 1734-IE4SXT, USA Report-No.: 968/EZ 480.01/12 Date: 2012-02-28 Report-No.: 968/EZ 480.01/12 Page 1 of 24

Assessment of the Point Guard Analog Input Safety Modules 1734-IE4S and 1734-IE4SXT, USA Report-No.: 968/EZ 480.01/12 Date: 2012-02-28 Pages: 24 Test object: Customer/Manufacturer: Point Guard Analog Input Safety Modules 1734-IE4S and 1734-IE4SXT 1 Allen-Bradley Drive Mayfield Heights, OH 44124 United States of America Order-No./Date: 5500003158 dated 2010-08-10 Test Institute: TÜV Rheinland Industrie Service GmbH Automation, Software and Information Technology (ASI) Am Grauen Stein 51105 Köln Germany TÜV-Offer-No./Date: 968/326/10 dated 2010-07-21 TÜV-Order-No./Date: 10469803 dated 2010-08-11 Inspectors: Test location: Dipl.-Ing. Matthias Haynl see Test Institute Test duration: November 2010 - February 2012 The test results are exclusively related to the test samples. This report must not be copied in an abridged version without the written permission of the Test Institute. Report-No.: 968/EZ 480.01/12 Page 2 of 24

Table of contents Page 1. Scope 4 2. Applicable standards 4 3. Test object description 5 3.1. Safety related aspects 6 3.2. Test samples 6 3.3. Inspected documents 6 3.4. Presented test reports and certificates 7 4. Performance of tests and results 8 4.1. General 8 4.2. Test steps 8 4.3. Inspection to the requirements of IEC 61508 and EN62061 8 4.3.1. Inspection of the documentation for completeness and correctness 8 4.3.2. Assessment of the management of functional safety 9 4.3.3. Assessment of measures to avoid failures during the different phases of the life cycle 9 4.3.4. Assessment of measures to control failures during operation 9 4.3.5. Hardware design inspection 10 4.3.6. Software design inspection 10 4.3.7. Calculation of the safety related parameters 11 4.4. Assessment regarding the EN ISO 13849-1:2008 + AC:2009 11 4.5. Application specific considerations 12 4.5.1. Requirements according to EN 13611:2007 + A2:2011 12 4.5.2. Requirements according to EN 14459:2008 13 4.5.3. Requirements according to NFPA 72:2010 14 4.5.4. Requirements according to NFPA 79:2012 17 4.5.5. Requirements according to NFPA 85:2011 18 4.5.6. Requirements according to NFPA 86:2011 21 4.6. Review of EMC 23 4.7. Information to electrical safety 23 4.8. Review of the climatic and mechanical tests 24 4.9. Additional aspects 24 4.9.1. Programming and configuration tools 24 4.9.2. Communication requirements 24 5. Summary 24 Report-No.: 968/EZ 480.01/12 Page 3 of 24

1. Scope The following report presents the results of the Point Guard Analog Input Safety Modules 1734-IE4S and 1734-IE4SXT type approval for safety related applications. The 1734-IE4S and 1734-IE4SXT have been subject to an assessment in accordance with IEC 61508 Safety Integrity Level 3 (SIL 3) and EN ISO13849-1 Performance Level e (PL e) and Category 4 (Cat 4). This test report contains the essential safety engineering aspects, that were assessed during the inspection and identifies the various test steps, that were performed to provide evidence, that the test object complies with the safety-relevant requirements of the product specification and the relevant standards. 2. Applicable standards /N 1/ IEC 61508, parts 1-7:2010 Part 1-7: Functional safety of E/E/PES safety-related system /N 2/ EN ISO 13849-1:2008 + AC:2009 Safety of machinery - Safety related parts of control systems Part1: General principles design /N 3/ EN 62061:2005 Functional safety of safety-related electrical, electronic and programmable electronic control systems /N 4/ IEC 61131-2:2007 Programmable controllers Part2: Equipment requirements and tests /N 5/ IEC 61326-3-1:2008 Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety related functions (functional safety) - General industrial applications /N 6/ EN 60204-1:2005/A1:2008 Safety of machinery - Electrical equipment of machines Part 2: General requirements /N 7/ EN 14459:2008 Control functions in electronic systems for gas burners and gas burning appliances /N 8/ EN 13611:2007 + A2:2011 Safety and control devices for gas burners and gas burning appliances General requirements /N 9/ NFPA 72:2010 National Fire Protection Association, Alarm and signalling systems /N 10/ NFPA 79:2012 National Fire Protection Association, Electrical Standard for Industrial Machinery Report-No.: 968/EZ 480.01/12 Page 4 of 24

/N 11/ NFPA 85:2011 National Fire Protection Association, Boiler and Combustion Systems Harzards Code /N 12/ NFPA 86:2011 National Fire Protection Association, Oven and Furnaces 3. Test object description The Point Guard I/O Safety Modules 1734-IE4S and 1734-IE4SXT (see Table 1) are utilized in the POINT I/O platform and can communicate safety messages via network adapters connect to EtherNet/IP or DeviceNet networks (see Table 2). A list of common applications and compatible partners is specified /U 16/. The 1734-IE4S and 1734-IE4SXT are industrial 24VDC analog safety modules with four analog safety-input ports and the related sensor power output ports. The four analog inputs are configurable as inputs set to current mode, set to voltage mode or set to tachometer mode. Single mode of operation (one sensor is connected to the 1734-IE4S or 1734-IE4SXT, see Figure 1) and dual mode of operation (two sensors are connected to the 1734-IE4S or 1734-IE4SXT, see Figure 2) are slso supported. Figure 1: Single mode of operation Figure 2: Dual mode of operation The 1734-IE4S and 1734-IE4SXT can be configured through software using either the Network configuration tool (RSNetWorx) or the GuardLogix programming tool (RSLogix 5000). Report-No.: 968/EZ 480.01/12 Page 5 of 24

3.1. Safety related aspects The 1oo2 architecture is the basic architecture of the modules and therefore the hardware fault tolerance (HFT) of one was assigned. To achieve the targeted safety integrity level the safety related parameters have to be: Safe Failure (SFF) 90 % (see /N 1/, part 2, table 3) Average Probability of a dangerous Failure on Demand (PFD) < 10-3 (see /N 1/, part 1, table 2) Probability of a dangerous Failure per Hour (PFH) < 10-7 1/h (see /N 1/, part 1, table 3) The safety function is to measure analog process variables, such as temperature, pressure, flow rate, etc. The analog input point can be configured in seven modes (±10V, ±5V, 0 5V, 0 10V, 4 20 ma, 0 20 ma, Tachometer). 3.2. Test samples The necessary tests of the 1734-IE4S and 1734-IE4SXT were carried out at the Rockwell facilities in Milwaukee and Cleveland. Additionally Rockwell provided a test system to the Test Institute. It was used to verify partly the tests carried out at Rockwell and to incorporate additional tests. Catalogue Number Description Series F/W Rev. 1734-IE4S Point Guard I/O Safety Modules A 1.1 1734-IE4SXT Point Guard I/O Safety Modules A 1.1 Table 1: Point Guard Analog Input Safety Modules Catalogue Number Description Series F/W Rev. 1734-PDN DeviceNet Adapter B none 1734-AENT EtherNet/IP Adapter A 3.1 Table 2: Point Guard I/O Network Adapter (suitable for safety loops up to SIL 3) The test samples were stored at the Test Institute. 3.3. Inspected documents Testing was mainly based on the following documents: /U 1/ Functional Requirement Specification No. 10000092528 rev 01.3, dated 2011-11 /U 2/ Point Guard I/O Safety Modules SRS, rev. 0.b, dated 2011-02-25 /U 3/ Safety Concept 1734-IE4S, No. 10000132187 rev 00.0, dated 2010-08-31 /U 4/ High Level Design Document No. 10000105979, rev 00.03, dated 2010-10-27 /U 5/ Hardware Detailed Design Specification No. 10000114340, rev 00.01, dated 2011-06-10 /U 6/ Schematic - No. 10000127401 (ver. 02), dated 2010-09-08 Report-No.: 968/EZ 480.01/12 Page 6 of 24

/U 7/ High Level Firmware Design Document No. 10000105950, rev 01.a, dated 2010-01-13 /U 8/ Project Plan / Safety Plan No. 10000046521, rev 00.03, dated 2011-11-05 /U 9/ Functional Safety Management Verification and Validation Documentation No. 10000220348, rev 00.b, dated 2011-11-28 /U 10/ PointGuard Analog Input Embedded Software Documentation (compiled html help file), dated 2012-02-08 /U 11/ Embedded C++ Coding Standard, No. ER#X 7014, rev. 1.6 /U 12/ FMEA Point Guard Analog Input Module, No. 10000141701, rev. 0.4 /U 13/ Fault Insertion Analysis ( Hardware ) of Point Guard Analog I/O, dated 2012-1-20 /U 14/ Calculation of the safety relevant parameters, dated 2011-12 /U 15/ QTP for Point Guard Analog IO, 1734-IE4S, 1734-IE4SXT, No. 10000107899, rev 2.0, dated 2011-09-21 /U 16/ Installation & User Manual (Catalog Numbers 1734-IB8S, 1734-OB8S, 1734- IE4S), Publication 1734-UM013E-EN-P - Preliminary 2012 3.4. Presented test reports and certificates The following tests and test reports were performed by other accredited test labs. /U 17/ Report-No.: 968/EZ 480.00/10, dated 2010-11-15 TÜV Rheinland Industrie Service GmbH /U 18/ EMC Test Report No. 359949, 815774, 182625, 96460, 39014 /U 19/ Technical Report 1734-IE4S Environmental Test (Shock and Vibration), Record Id# 80731 /U 20/ Technical Report 1734-IE4S Environmental Test (Temperature and Humidity), Record Id# 808578 /U 21/ ODVA DeviceNet Safety Composite Test, ODVA File Number 10968-2 ODVA Inc. /U 22/ ISO9001:2008 certificate, CERT-09379-2004-USA-RvA Rev. 1 valid until 2013-05-17 Det Norske Veritas Certification, Inc. Report-No.: 968/EZ 480.01/12 Page 7 of 24

4. Performance of tests and results 4.1. General The measuring and test equipment, which has been used by the TÜV Rheinland Group in the tests described in the following, is subject to regular inspection and calibration. Only devices with valid calibration have been used. The devices used in the various tests are recorded in the inspector s documentation. All considerations concerning uncertainty of the measurements, so far applicable, are stated in the inspector s documentation, too. In cases where tests have been executed in an external test lab or in the test lab of the manufacturer and where the results of these tests have been used within the here documented approval, this has occurred after a positive assessment of the external test lab and the achieved test results in detail according to the Quality Management procedure QMA 3.310.05. 4.2. Test steps The functional safety assessment of the 1734-IE4S and 1734-IE4SXT was performed by the concept and the main assessment. The steps outlined below were performed as part of the concept assessment. Review of SRS and FRS according to IEC 61508 Review of measures for avoiding systematic failures as part of the hardware and software development Evaluation of measures for detection of random failures during operation Review of the verification and validation plan Assessment of the requirements for the management of functional safety on project/product level Based on the concept assessment (details are documented under /U 17/) the main assessment was performed with the steps listed below. Review of the documentation as part of the development life cycle Judgement of the FMEA at component level regarding the relevant failure mode requirements for SIL 3 (IEC 61508) and Pl e / Cat. 4 (EN ISO 13849-1) Review of the safety relevant parameter calculations (PFD/PFH, SFF) with regard to SIL 3 Performance and verification of functional tests and fault insertion tests Assessment of the relevant requirements driven by the application standards (e.g. NFPA) Review of the submitted test reports (EMC, Environmental) 4.3. Inspection to the requirements of IEC 61508 and EN62061 4.3.1. Inspection of the documentation for completeness and correctness The documents /U 1/, /U 2/ and /U 3/ were presented by the customer as the actual specification and safety concept. These documents were checked for completeness, consistency and correctness according to the requirements of /N 1/. The presented documents are found to meet the requirements of the test basis with regard to completeness, consistency and correctness. Report-No.: 968/EZ 480.01/12 Page 8 of 24

4.3.2. Assessment of the management of functional safety The assessment was carried out by inspection of the specified management and technical activities/procedures as part of the development cycle to achieve the required functional safety as well as the consideration of the responsibilities (persons, departments and organizations) for the development cycle. The reviewed policy and strategy (RA TQCS) detailed mandatory requirements (e.g. verification and validation activities, management and communication policies, safety plan) and was classified as sufficient according to /N1/. The overall functional safety assessment was done by the Test Institute, whereby the required minimum level of independence was achieved. 4.3.3. Assessment of measures to avoid failures during the different phases of the life cycle Techniques and measures to control and avoid systematic failures during the different phases of the lifecycle were inspected in accordance to /N 1/. The following techniques and measures were subjected to evaluation: Project management according to ISO 9001:2008 (see /U 22/) Documentation and review activities controlled by RA TQCS Policy (e.g. development cycle procedures, design validation procedures) Structured design in hardware and software (see /U 4/) Controlled firmware development process and using of programming guidelines (C++) to achieve consistent firmware and documentation EMC and environmental tests with increased levels for safety related products Consistent and comprehensible installation and user documentation (see /U 16/) The inspected techniques and measures described in /U 9/ (section 1.2 and 1.3) to control and avoid systematic failures during the different phases of the lifecycle are sufficient according to the requirements of SIL 3 to /N 1/. The verification and validation plan /U 9/ deals with all individual phases of the lifecycle of the product. 4.3.4. Assessment of measures to control failures during operation The measures to control failures during operation were evaluated regarding to the requirements of IEC 61508-2, Annex A. The implemented measures are described in /U 12/ (section 7.4) and were analyzed concerning the required diagnostic coverage under the subjected fault model. The following essential measures to control failures during operation were confirmed: Over- and under voltage monitoring with safe shut off Combination of temporal and logical monitoring of program sequences (Execution Sequence Diagnostic, I/O Heartbeat Watchdog Test, Timer Diagnostics) Background stack monitoring Report-No.: 968/EZ 480.01/12 Page 9 of 24

32 bit CRC algorithm for the invariable memory ranges (start up and run-time background diagnostic) RAM Galpat data diagnostic as part of the run-time background diagnostic Safety Protocol Cross Compare Input with automatic checks Information redundancy (channel discrepancy diagnostic) in order to detect soft errors The implementation of the measures to control failures during operation were proven by functional tests documented in /U 15/ fault insertion tests documented in /U 13/ and the analysis of the corresponding software sources. The above results have shown, that the measures to control failures during operation (random and systematic) are in accordance to the requirements of SIL 3 to /N 1/. 4.3.5. Hardware design inspection The hardware design was inspected by performing the Hardware-FMEA under consideration of representative hardware faults at component level. The Hardware-FMEA is documented in /U 12/ and based on the schematic drawn up in /U 6/. The assessment was carried out regarding the diagnostic coverage and the fault model required by /N 1/ for SIL 3 and under consideration of the hardware architecture (see 3.1). The function- and fault insertion tests were performed in co-ordination with Rockwell. The Hardware-FMEA at component level has shown, that the implemented measures to detect failures during operation are adequate for the considered fault model. The performed function- and fault insertion tests have shown no dangerous failure in relation to the fault model required by /N 1/. The results of the fault insertion tests are documented in /U 13/. 4.3.6. Software design inspection The software assessment was done by: Review of the architecture and the basic safety strategy for the embedded software Assessment of the software design at architectural level and review of the implemented measures to detect failures during operation (e.g. RAM test Galpat) at code line level Checking programming guidelines used for the software Verification of Software Tests (functional testing, white-box testing, statistical testing, code coverage) Review of the tool qualification in reference to the T1-T3 classes for tools The architecture of the software is characterized by a clearly structured design. No obvious deviations from the firmware architecture described in /U 7/ were identified during the review of the software sources documented in /U 10/. No obvious deviations from the stipulations of the specifications /U 7/ were identified in the course of checking the software design /U 10/. The implemented measures to detect failures during operation were inspected at code line level and were judged to be sufficient regarding the SIL 3 requirement. Report-No.: 968/EZ 480.01/12 Page 10 of 24

The inspection of the software based on the coding guideline /U 11/ as well as the review of the performed static code analysis (PC-Lint) has revealed no functional safety related issues. The functional tests documented in the manufacturer's test plan /U 15/ were judged to be sufficient. The combination of functional testing, white-box testing and statistical testing provides evidence that each software module satisfies its associated specification. The review of the software version V 1.1 (1734-IE4S and 1734-IE4SXT) shows that the requirements of SIL 3 of the IEC 61508 regarding the software life cycle are fulfilled. The tools utilized for the design and development are listed under /U 9/ (see section 1.4) and have been classified in reference to the T1-T3 classes of IEC61508-3. The assessment of the tools was done by different measures and techniques (e.g. defect history analysis, compiler validation review, release review, etc.) The above results have shown that the measures to avoid systematic failures during the software design and development are in accordance to the requirements of SIL 3 to /N 1/. 4.3.7. Calculation of the safety related parameters The calculation of the safety relevant parameters was performed by manufacturer and is documented under /U 14/. The following values were calculated by the manufacturer, reviewed and accepted by the Test Institute: Catalogue Number PFH [h -1 ] PFD av (T=10y) SFF 1734-IE4S 5,5 E-11 2,4 E-6 98,9% 1734-IE4SXT 5,5 E-11 2,4 E-6 98,9% Table 3: Safety related parameters in reference to /N 1/, single mode operation (Figure 1) Catalogue Number PFH [h -1 ] PFD av (T=10y) SFF 1734-IE4S 3,8 E-11 1,6 E-6 98,9% 1734-IE4SXT 3,8 E-11 1,6 E-6 98,9% Table 4: Safety related parameters in reference to /N 1/, dual mode operation (Figure 2) The calculation of the safety relevant parameters has shown, that the requirements of SIL 3 to /N 1/ are fulfilled. The review of the components failure rates, resulting from a third party data base, correlates with the SN 29500 and was accepted by the Test Institute. 4.4. Assessment regarding the EN ISO 13849-1:2008 + AC:2009 The 1734-IE4S and 1734-IE4SXT were inspected regarding the requirements for Performance Level e (PL e) and category 4 (cat. 4) to /N 2/. Report-No.: 968/EZ 480.01/12 Page 11 of 24

All single failures will be detected by appropriate diagnostic measures. The effectiveness of these diagnostics were assessed during the assessment in reference to /N 1/. For components which are not covered by diagnostics the failure accumulation up to 2 failure in combination were considered. The resulted effects of the failure accumulation have shown no loss of the safety function. The safety structure, diagnostics and the detection of failures complies to the requirements of Performance Level e (PL e) and category 4 (cat. 4) in reference to /N 2/. Catalogue Number MTTF d DC avg Cat. PL 1734-IE4S 100 years High 4 e 1734-IE4SXT 100 years High 4 e Table 5: Safety related classification in reference to /N 2/ 4.5. Application specific considerations 4.5.1. Requirements according to EN 13611:2007 + A2:2011 The EN 13611:2007 + A2:2011 specifies methods for classification and assessment of control devices designed to operate gas burners and gas burning appliances, particularly regarding their fault behaviour and preventative measures. The 1734-IE4S and 1734-IE4SXT have been assessed to the applicable class C requirements of EN 13611:2007 + A2:2011. Clause Requirements Result 6.6 Functional safety requirements see clause 6.6.1 6.6.1 Requirements for control devices 6.6.1.1 Failure avoidance and failure control Fulfilling the requirements of IEC 61508 (SIL 3), EN ISO13849-1 (PL e, Cat. 4) is sufficient. 6.6.1.2 Reset device Requirement on system level architecture by the end user. 6.6.1.3 Documentation Fulfilling the requirements of IEC 61508 (SIL 3), EN ISO13849-1 (PL e, Cat. 4) is sufficient. 6.6.2 Class A Class C was applied. 6.6.3 Class B Class C was applied. 6.6.4 Class C Fulfilling the requirements of IEC 61508 (SIL 3), EN ISO13849-1 (PL e, Cat. 4) is sufficient. Report-No.: 968/EZ 480.01/12 Page 12 of 24

Clause Requirements Result 6.6.5 Circuit and construction requirements Fulfilling the requirements of IEC 61508 (SIL 3), EN ISO13849-1 (PL e, Cat. 4) is sufficient. For details see also /U 12/ and /U 13/. 7 Functional requirements Environmental requirements are fulfilled in reference to /N 4/. For details see 4.8. 8 EMC requirements Increased EMC levels have been used in reference to /N 5/. For details see 4.6. 9 Marking requirements Passed The 1734-IE4S and 1734-IE4SXT are fulfilling the requirements of IEC 61508 (SIL 3) and EN ISO13849-1 (PL e, Cat. 4) and can be used as a class C control device in reference to annex J and K of EN 13611:2007 + A2:2011. The user shall comply with all other requirements from /N 8/ including requirements that have an effect on the safety configuration of the 1734-IE4S and 1734-IE4SXT. 4.5.2. Requirements according to EN 14459:2008 The EN 14459:2008 specifies methods for classification and assessment of function blocks designed to operate gas burners and gas burning appliances, particularly regarding their fault behaviour and preventative measures. The 1734-IE4S and 1734-IE4SXT have been assessed to the applicable requirements of EN 14459:2008 by using the RSLogix 5000 programming software. Clause Requirements Result 4-6.6.5 EN 13611:2007 shall apply See applicable results under section 4.5.1 of this test report. 6.6.6 Assessment for control functions in gas appliances 6.6.6.1 Potential hazards arising from the use of gas appliances are among others covered by means of control functions. Informative 6.6.6.2 Fault tolerating time is determined by the ability of the appliance to tolerate a fault for a certain time. 6.6.6.3 Fault modes on the appliance level shall be considered for assessing a certain control function. If not defined by the appliance standard, fault modes that are specific for the appliance with relation to the control function, shall be declared by the manufacturer, based on a clear description. Requirement on application level by the end user. DC fault model of /N 1/ are applied to the modules. 7 Performance 7.1-7.10 EN 13611:2007 shall apply See applicable results under section 4.5.1 of this test report. 7.11-7.12 Combined apparatus and Multifunctional systems Requirement on system level architecture by the end user. Report-No.: 968/EZ 480.01/12 Page 13 of 24

Clause Requirements Result 7.13 Data exchange 7.13.1 Systems or apparatus with control functions may be connected to separate, independent apparatus or systems (which may themselves contain control functions or provide other information). Any data exchange between these systems or apparatus shall be taken into consideration regarding safety. Requirement on system level architecture by the end user. 7.13.2 Regarding safety relevance and influence, message types for data exchange in a control function or functions shall be defined according to as: - safety related; - non-safety related. Separation of safety and non-safety functions is supported and shall be considered on architecture on application level. 7.13.3 Communication of safety related data 7.13.3.1 Transmission Safety related data shall be transmitted authentically concerning: - quantity of data (i.e. all data expected to and from respective addresses); - quality of data (i.e. in a correct and precise manner); - appropriate transmission time. Data variation or corrupted data shall not lead to an unsafe state. 7.13.3.2 Access to data exchange All types of access to a safety related data exchange system shall be clearly restricted. Safety related operating data, configuration parameters and/or software modules may be transmitted to control functions via communication, providing adequate hardware/software measures are taken to ensure that no unwanted access to the control function is possible. The CIP safety communication layer is SIL 3 certified (see /U 21/). Not applicable Requirement on system level architecture by the end user. 8-9 EN 13611:2007 shall apply See applicable results under section 4.5.1 of this test report. Table 6 Applicable requirements of EN14459:2008 The review of the 1734-IE4S and 1734-IE4SXT in reference to the requirements of Table 7 has shown no deviations. The user shall comply with all other requirements from /N 7/ including requirements that have an effect on the safety configuration of the 1734-IE4S and 1734-IE4SXT. 4.5.3. Requirements according to NFPA 72:2010 The NFPA72:2010 from the National Fire Protection Association contains the requirements for fire alarm and signalling systems. In the following table the relevant general and specific requirements are listed. These requirements are applied to the 1734-IE4S and 1734-IE4SXT. Report-No.: 968/EZ 480.01/12 Page 14 of 24

Clause Requirements Result 10 System Fundamentals 10.5 Power supplies Installation requirements applies to the end user. 10.5.3.2 Unless configured in compliance with 10.5.4, at least two independent and reliable power supplies shall be provided, one primary and one secondary. 10.5.3.4 Monitoring the integrity of the power supplies shall be in accordance with 10.17.3 Installation requirements applies to the end user. See paragraph 10.17.3 10.14 Performance and limitation 10.14.1 Voltage, Temperature, and Humidity Variation. Equipment Passed shall be designed so that it is capable of performing its intended functions under the following conditions: (1)* At 85 percent and at 110 percent of the nameplate primary (main) and secondary (standby) input voltage(s) (1) IEC 61131-2:2007 (2) At ambient temperatures of 0 C (32 F) and 49 C (120 F) (3) At a relative humidity of 85 percent and an ambient temperature of 30 C (86 F) (2) IEC 61131-2:2007 DIN EN 60068-2-14, test Nb (3) IEC 61131-2:2007 DIN EN 60068-2-30, test Db, variant 2 10.15 Protection of Fire Alarm Systems Installation requirements applies to the end user. 10.16 Annunciation and annunciation zoning Installation requirements applies to the end user. 10.17 Monitoring integrity 10.17.1.1 Unless otherwise permitted or required by 10.17.1.3 through 10.17.1.14, all means of interconnecting equipment, devices, and appliances and wiring connections shall be monitored for the integrity of the interconnecting conductors or equivalent path so that the occurrence of a single open or a single ground fault condition in the installation conductors or other signalling channels is automatically indicated within 200 seconds. 10.17.1.2 Unless otherwise permitted or required by 10.17.1.3 through 10.17.1.14, all means of interconnecting equipment, devices, and appliances and wiring connections shall be monitored for the integrity of the interconnecting conductors or equivalent path so that the restoration to normal of a single open or a single ground fault condition in the installation conductors or other signaling channels is automatically indicated within 200 seconds. Single open or a single ground fault are detected within 200sec. Restoration to normal is processed within 200sec after clearing the fault condition. 10.17.3 Monitoring Integrity of Power Supplies 10.17.3.1 Unless otherwise permitted or required by 10.17.3.1.3 and 10.17.3.1.6, all primary and secondary power supplies shall be monitored for the presence of voltage at the point of connection to the system. All power domains are monitored. Report-No.: 968/EZ 480.01/12 Page 15 of 24

Clause Requirements Result 10.17.3.1. 1 Failure of either supply shall result in a trouble signal in accordance with Section 10.12. Installation requirements, applies to the end user. 10.18 Documentation 14.2.4.1 The provided documentation shall include the current revisions of all fire alarm software and the revisions of software of any systems with which the fire alarm software interfaces. 14.2.4.2 The revisions of fire alarm software, and the revisions of the software in the systems with which the fire alarm software interfaces, shall be verified for compatibility in accordance with the requirements of 23.2.2.1.1. Application and firmware can be clearly identified by using RSLogix 5000 programming software. See following paragraph 23.2.2.1.1 17 Initiating devices Not applicable 23 Protected Premises Fire Alarm Systems Passed (applicable sections). 23.2.2 Software and Firmware control 23.2.2.1.1* Software and firmware within the fire alarm control system that interfaces to other required software or firmware shall be functionally compatible. 23.2.2.1.2* The compatible software or firmware versions shall be documented at the initial acceptance test and at any reacceptance tests. 23.2.2.2* All software and firmware shall be protected from unauthorized changes. Requirement on system level architecture by the end user. Requirement on system level architecture by the end user. 23.2.2.4 All changes shall be tested in accordance with 14.4.1.2. Testing requirements applies to the end user. 23.6* Performance of signalling line circuits (SLC) 23.6.1 The assignment of class designations to signalling line Informative circuits shall be based on their performance capabilities under abnormal (fault) conditions in accordance with the requirements for Class A, Class B, or Class X pathways specified in Chapter 12 and the requirements of 23.6.2 through 23.6.5. 23.6.2 An open, short circuit, or ground fault shall result in the annunciation of a trouble signal. 23.6.3 Class B pathways shall maintain alarm capability during the application of a single ground fault. 23.6.4 Class A and Class X pathways shall maintain alarm capability during the application of a single ground fault, and also during the combination of a single open and a single ground fault. 23.6.5 Where digital communications are used, inability to send or receive digital signals over a signalling line circuit shall be indicated by a trouble signal. Table 7: Applicable requirements of NFPA72:2010 Requirement on system level architecture by the end user. Requirement on system level architecture by the end user. Requirement on system level architecture by the end user. Report-No.: 968/EZ 480.01/12 Page 16 of 24

The review of the 1734-IE4S and 1734-IE4SXT in reference to the requirements of Table 7 has shown no deviations. The user shall comply with all other requirements from /N 9/ including requirements that have an effect on the safety configuration of the 1734-IE4S and 1734-IE4SXT. 4.5.4. Requirements according to NFPA 79:2012 The NFPA79:2012 from the National Fire Protection Association contains the electrical requirements for industrial machinery. In the following table the relevant general and specific requirements are listed. These requirements are applied to the 1734-IE4S and 1734-IE4SXT. Clause Requirements Result 4.4 Physical environmental and operation conditions (covering EMC, climatic and mechanical requirements) See sections 4.6 and 4.8 of the report. 6 Protection against electrical shock See section 4.7 of the report. 9.4.3 Control Systems Incorporating Software and Firmware See following paragraphs Based Controllers 9.4.3.1, 9.4.3.3 and 9.4.3.4 9.4.3.1 Software modification 9.4.3.3 Software verification 9.4.3.4 Use in safety related functions Control systems incorporating software and firmware based controllers performing safety-related functions shall conform to all of the following: (1) In the event of any single failure perform as follows: (a) Not lead to the loos of the safety function(s) (b) Lead to the shutdown of the system in a safe state (c) Prevent subsequent operation until the component failure has been corrected (d) Prevent unintended start-up of equipment upon correction of the failure (2) Provide protection equivalent to that of control systems incorporating hardwired / hardware components. (3) Be designed in conformance with an approved standard that provides requirements for such systems Table 8: Applicable requirements of NFPA79:2012 See section 4.3.6 of the report. The review of the 1734-IE4S and 1734-IE4SXT in reference to the requirements of Table 8 has shown no deviations. The user shall comply with all other requirements from /N 10/ including requirements that have an effect on the safety configuration of the 1734-IE4S and 1734-IE4SXT. Report-No.: 968/EZ 480.01/12 Page 17 of 24

4.5.5. Requirements according to NFPA 85:2011 The NFPA85:2011 from the National Fire Protection Association contains the requirements for boiler and combustion systems. In the following table the relevant general and specific requirements are listed. These requirements are applied to the 1734-IE4S and 1734-IE4SXT. Clause Requirement Results 85 1 Chapter 1 Administration Requirement on system level for the end user. 85 2 Referenced Publications Informative 85 3 Definitions Informative 85 4 Fundamentals of Boiler Combustion Systems Informative 85 4.1 Manufacturer, Design and Engineering Requirement on system level for the end user. 85 4.2 Installation Requirement on system level for the end user. 85 4.3 Coordination of Design, Construction and Operation Requirement on system level for the end user. 85 4.4 Maintenance, Inspection, Training and Safety Requirement on system level for the end user. 85 4.5 Basic Operating Requirements Requirement on system level for the end user. 85 4.6 Structural Design Requirement on system level for the end user. 85 4.7 Functional Requirements for Fuel-Burning Systems Requirement on system level for the end user. 85 4.8 Multiple Boilers Requirement on system level for the end user. 85 4.9 Gasenous Vent Systems Requirement on system level for the end user. 85 4.10 Fuel System Venting Requirement on system level for the end user. 85 4.11 Burner Management System Logic 85 4.11.1 As a minimum, the requirements of 4.11.2 through 4.11.10 shall be included in the design to ensure that a logic system for burner management meets the intent of these standards. See following paragraphs (4.11.2 through 4.11.10) Report-No.: 968/EZ 480.01/12 Page 18 of 24

Clause Requirement Results 85 4.11.2 85 4.11.3 85 4.11.3.1 85 4.11.3.2 85 4.11.4 85 4.11.5 The logic system for burner management shall be designed specifically so that single failure in that system does not prevent an appropriate shutdown. The burner management system interlock and alarm functions shall be initiated by one or more of the following: One or more switches or transmitters that are dedicated to the burner management system. One or both signals from two transmitters exceeding a preset value. The median signal from three transmitters exceeding the preset value. When signals from multiple switches or transmitters are provided to initiate interlock or alarm functions, those signals shall be monitored in comparison to each other by divergence or other fault diagnostic alarms. When signals from multiple switches or transmitters are provided to initiate interlock or alarm functions, the provided signals shall be generated by individual sensing devices connected to separate process taps. Alarms shall be generated to indicate equipment malfunction, hazardous conditions, and misoperation. The burner management system designer shall evaluate the failure modes of components, and as a minimum the following failures shall be evaluated: 1. Interruptions, excursions, dips, recoveries, transients and partial losses of power 2. Memory corruption and losses 3. Information transfer corruption and losses 4. Inputs and Outputs (fail-on, fail-off) 5. Signals that are unreadable or not being read 6. Failure to address errors 7. Processor faults 8. Relay coil failure 9. Relay contact failure (fail-on, fail-off) 10. Timer failure All single failures will be detected by appropriate diagnostic measures. Shutdown has to be considered at the overall system level. Requirement on application and system Not applicable Requirement on application and system Requirement on application and system Requirement on application and system See sections 4.3 and 4.4 of this test report. Report-No.: 968/EZ 480.01/12 Page 19 of 24

Clause Requirement Results 85 4.11.6 85 4.11.7 85-4.11.8 85 4.11.9 85 4.11.10 The design of the logic system for burner management shall include and accommodate the following requirements: 1. Diagnostic shall be included in the design to monitor processor logic function. 2. Logic system failure shall not preclude proper operator intervention. 3. Logic shall be protected from unauthorized changes. 4. Logic shall not be changed while the associated equipment is in operation. 5. System response time (through-put) shall be short to prevent negative effects on the application. 6. Protection from the effects of noise shall prevent false operation. 7. No single component failure within the logic system shall prevent a mandatory master fuel trip. 8. The operation shall be provided with a dedicated manual switch(es) that shall actuate the master fuel trip relay independent and directly 9. At least one manual switch ref in 4.11.6(8) shall be identified and located remotely where it can be reached in case of emergency 10. The logic system shall be monitored for failure. 11. Failure of the logic system shall required a fuel trip for all equipment supervised by the failed logic system. 12. Logic shall be maintained either in nonvolatile storage or in other memory that retains information on the loss of system power. Requirements for Independence Momentary Closing of Fuel Values. Circuit Devices. No momentary contact or automatic resetting device, control, or switch that can cause chattering or cycling of the safety shutoff valves shall be installed in the wiring between the load side (terminal) of the primary or programming control and the main or ignition fuel valves. Documentation. Documentation shall be provided to the owner and operator, indicating that all safety devices and logic meet the requirements of the application. Passed (1) is inherent to section 4.3 and 4.4 of this test report. (2) to have to be considered at the system level. (12) Logic remains maintained after loss of power. Note: Remaining items have to be considered by the end user at the application level. Not applicable Not applicable Not applicable Logic sequences have to be implemented by the end user at the application level. Passed See safety manual /U 16/. 85 4.12 Flame Monitoring and Tripping System. Not applicable Report-No.: 968/EZ 480.01/12 Page 20 of 24

Clause Requirement Results 85 4.13 Combustion Control System Not applicable 85 4.14 Power-Supplies. Precautions shall be taken to ensure the availability of a failure-free power-supply (electric or pneumatic) to all control and safety devices. Not applicable Requirement on application and system 85 4.15 Operating Information Not applicable 85 4.16 Selective Catalytic Reduction Not applicable 85 5 Single Burner Boilers Not applicable 85 6 Multiple Burner Boilers Not applicable 85 7 Atmospheric Fluidized Bed Boilers Not applicable 85 8 Heat Recovery Steam Generators and Other Combustion Turbine Exhaust Systems Not applicable 85 9 Pulverized Fuel Systems Not applicable 85 10 Stokers Not applicable Table 9: Applicable requirements of NFPA85:2011 The review of the 1734-IE4S and 1734-IE4SXT in reference to the requirements of Table 9 has shown no deviations. The user shall comply with all other requirements from /N 11/ including requirements that have an effect on the safety configuration of the 1734-IE4S and 1734-IE4SXT. 4.5.6. Requirements according to NFPA 86:2011 The NFPA 86:2011 from the National Fire Protection Association contains the requirements for oven and furnaces. In the following table the relevant general and specific requirements are listed. These requirements are applied to the 1734-IE4S and 1734-IE4SXT. Clause Requirement Compliance description 86 1 Administration Informative 86 2 Referenced Publications Informative 86 3 Definitions Informative 86 4 General Report-No.: 968/EZ 480.01/12 Page 21 of 24

Clause Requirement Compliance description 86 5 Location and Construction 86 6 Furnace Heating Systems 86 7 Commissioning, Operation, Maintenance, Inspection and Testing 86 8 Safety Equipment and Application 86 8.2 Safety Device Requirements Informative 86 8.2.1 All Safety devices shall meet one of the following See paragraph 8.4 criteria: (3) Be programmable controllers applied in accordance with Section 8.4 86 8.3 Logic Systems Informative 86 8.3.1 General Informative 86 8.3.2 Hardwired Logic Systems Not hardwired. 86 8.4 Programmable Logic Controller Systems 86 8.4.2.1 86 8.4.2.2 86 8.4.2.3 (E) The PLC shall detect the following conditions: (1) Failure to execute any program or task containing safety logic (2) Failure to communicate with any safety input or output (3) Changes in software set point of safety functions (4) Failure of outputs related to safety functions (5) Failure of timing related to safety functions (F) A safety shutdown shall occur within 3 seconds of detecting any condition listed failures in (E) Hardware (A) Memory that retains information on loss of system power shall be provided by software (B) The PLC shall have a minimum mean-timebetween failures (MTBF) rating of 250,000 hours (D) Output checking shall be provided for PLC outputs controlling fuel safety shutoff valves and oxygen safety shutoff valves. Software (A) Access to the PLC and its logic shall be restricted to authorized personnel. (B) The following power supplies shall be monitored: (1) Power supplies used to power PLC inputs and outputs that control furnace safety functions See sections 4.3 and 4.4 of this test report. Requirement on application and system (A ) Logic remains maintained after loss of power. MTBF 250,000 hours Not applicable, analog inputs only. Password for safety application See sections 4.3 and 4.4 of this test report. Report-No.: 968/EZ 480.01/12 Page 22 of 24

Clause Requirement Compliance description (C) When any power supply required by 8.4.2.3 (B) (1) fails, the dedicated PLC output required in 8.4.2.1(G) shall be deactivated. (E) Software shall be documented as follows (1) Labeled to identify elements or group of elements containing safety software (2) Labeled to describe the function of each element containing safety software. 86 8.4.5 Safety PLCs (A) Where used for combustion safety service, safety programmable logic controllers shall have the following characteristics: (1) The processor and the input and output (I/O) shall be listed for control reliable service with an SIL rating of at least 2. (2) Access to PLCs dedicated to safety functions shall be restricted. (3) Nonsafety functions, where implemented, shall be independently accessible from safety functions. (4) All safety function sensors and final elements shall be independent of operating sensors and final elements. Table 10 Applicable requirements of NFPA86:2011 Analog inputs only. If a power failure is occurs the analog inputs stops the communication. Application and firmware can be clearly identified by using RSLogix 5000 programming software. Passed See sections 4.3 and 4.4 of this test report. The review of the 1734-IE4S and 1734-IE4SXT in reference to the requirements of Table 10 has shown no deviations. The user shall comply with all other requirements from /N 12/ including requirements that have an effect on the safety configuration of the 1734-IE4S and 1734-IE4SXT. 4.6. Review of EMC The EMC tests were performed at the Environmental Evaluation Laboratory of Rockwell Automation. The product certification lab is audited for compliance to ISO 17025, and is an independent department. The review of the test results documented in /U 18/ has shown, that the product requirements according to /N 4/ and /N 5/ are fulfilled. 4.7. Information to electrical safety The 1734-IE4S and 1734-IE4SXT are connected to 24VDC powered by the DeviceNet or additional external 24VDC power supplies. All outputs (e.g. sensor supply) are internally fused and operating to a nominal voltage of 24VDC. A power supply that will be used for 1734-IE4S and 1734-IE4SXT in safety application shall fulfil the requirements according to EN 50178 or similar standards. Power supplies shall fulfil the requirements for Protective Extra-low-Voltage (PELV) or Safety Extra Low Voltage (SELV). No voltage greater then 24VDC is generated by the device. Report-No.: 968/EZ 480.01/12 Page 23 of 24

4.8. Review of the climatic and mechanical tests The climatic and mechanical tests for the 1734-IE4S and 1734-IE4SXT were performed by the Environmental Evaluation Laboratory of. The product certification lab is audited for compliance to ISO 17025, and is an independent department. The review of the test results documented in /U 19/ and /U 20/ has shown no obviously derivations regarding the climatic and mechanical test requirements stipulated by /N 4/. 4.9. Additional aspects 4.9.1. Programming and configuration tools For the 1734-IE4S and 1734-IE4SXT the following parts of software will be used: RSLogix 5000 programming software. RSNetworks Network configuration. Both parts of software are not safety relevant. The special requirements for the PC-based software used for safety related configuration tasks are clearly described in the /U 16/ and have to be observed. 4.9.2. Communication requirements The 1734-IE4S and 1734-IE4SXT shall be connected to the DeviceNet or EtherNet/IP network and proceed information with other compatible partners by using the CIP safety communication. The CIP safety communication layer is SIL 3 certified. The test results documented in /U 22/ have shown no derivations regarding the compliance to the DeviceNet Safety protocol. 5. Summary During the assessment no infringement of the functional and safety related requirements outlined in the applied standards could be found. Observance have to be given to the installation instructions /U 16/ released by. On the basis of the above assessment the 1734-IE4S and 1734-IE4SXT, specified under chapter 3.2, can be used in SIL 3 (IEC 61508), SIL CL 3 (EN62061) and Pl e / Cat. 4 (EN ISO 13849-1) applications. The resistance against the environmental conditions (climatic, mechanic, EMC) fulfils the requirements of /N 4/ and /N 5/. Cologne, 2012-02-28 Report released after review: TIS/ASI/Kst. 968 hay-nie Date: 2012-02-28 The inspector Dipl.-Ing. Matthias Haynl Dipl.-Ing. Heinz Gall Report-No.: 968/EZ 480.01/12 Page 24 of 24