The IS420UCSBS1A is a Safety Controller within the Mark VIeS series, specifically engineered for industrial functional safety loops requiring SIL 2 and SIL 3 (Safety Integrity Level) capabilities. Designed as a standalone, robust computing unit, this controller is central to critical safety applications in industries such as power generation, oil & gas, and chemical processing, where operational reliability and risk mitigation are paramount.
Certified in accordance with the IEC 61508 standard, the IS420UCSBS1A, along with its dedicated Safety I/O modules, provides a certified platform for implementing Safety Instrumented Systems (SIS), effectively reducing risk in critical safety functions.
2. System Architecture & Hardware Design
2.1 Standalone Modular Design
The IS420UCSBS1A features a self-contained, modular architecture. Unlike traditional controllers where I/O is housed on a backplane, it communicates with distributed I/O packs exclusively via a private, special-purpose Ethernet network called IONet. This design eliminates any single point of failure for application input. If a controller is powered down for maintenance or repair, the system architecture guarantees that no single input is lost, ensuring continuous operation of the safety loop.
2.2 Processor and Memory
2.3 Fanless Design and Power Supply
Cooling: The IS420UCSBS1A is a fanless module, relying on passive cooling through integrated heat fins. This eliminates a common point of failure, improves reliability, and reduces maintenance.
Power Input: Accepts a 28 V DC input.
Internal Power Conversion: The incoming 28 V DC is converted to a regulated internal 5 V DC supply, from which all other internal power planes are derived.
Power Consumption: Peak power draw is 26.7 W, with a nominal operational consumption of 15.6 W.
2.4 Environmental Ruggedness
3. Communication & Networking Capabilities
3.1 The IONet Network
The controller connects to I/O modules through three independent IONet ports.
Network Type: A private Ethernet network dedicated solely to Mark* control devices.
Protocol: Uses TCP/IP for reliable communication between controllers and I/O modules.
Redundancy: IONet redundancy is equal to controller redundancy. In redundant systems, multiple independent IONet paths ensure communication integrity.
3.2 Primary and Secondary Ethernet Interfaces
ENET1 (Primary):
Typically configured as a UDH (Unit Data Highway) connection.
Used for communications with HMIs, historians, and other controllers.
Supports protocols like EGD (Ethernet Global Data), Modbus, and OPC-UA.
ENET2 (Secondary):
3.3 Precision Clock Synchronization
The system uses the IEEE 1588 precision time protocol (PTP) across the R, S, and T IONets to synchronize the clocks of all I/O packs and controllers to within ±100 microseconds, ensuring time-coherent data acquisition and control execution.
4. Software System & Programming
4.1 Operating System
The IS420UCSBS1A runs on QNX Neutrino, a proven, real-time operating system (RTOS) designed for high-speed, high-reliability industrial applications. Its deterministic behavior is crucial for meeting the response-time demands of safety functions.
4.2 Programming Languages
The controller supports multiple programming paradigms to suit different engineering preferences:
Control Block Language: For complex analog and discrete control loops using function blocks.
Relay Ladder Diagram (RLD): For implementing Boolean logic in a familiar ladder format.
Supported Data Types: A comprehensive set including Boolean, 16/32-bit signed/unsigned integers, and 32/64-bit floating-point numbers.
4.3 Online Modifications
Minor modifications to the control software can be made online without requiring a controller restart, enhancing system availability and simplifying troubleshooting.
4.4 Safety Software Branding
A critical feature for functional safety, Branding is a mandatory process required whenever the application code in a Mark VIeS Safety controller is changed and downloaded. This process cryptographically "brands" the new code, ensuring its authenticity and integrity. Any unauthorized change triggers a brand mismatch, alerting operators to a potential safety integrity issue. This is a foundational requirement for maintaining SIL 2/3 certification.
5. Safety Features & Certifications
5.1 Functional Safety Level
The IS420UCSBS1A controller and its associated Safety I/O modules are specifically designed and certified for use in SIL 2 and SIL 3 safety loops as defined by IEC 61508.
5.2 Hardware and Software Certification
The specific control hardware and software comprising the Mark VIeS system have received IEC 61508 certification from a third-party assessor, providing independent validation of their suitability for safety-critical applications.
5.3 Redundancy and Fault Tolerance
The controller is designed to operate in dual or Triple Modular Redundant (TMR) configurations. In these setups, it synchronizes with peer controllers, exchanging:
Internal state values for voting and initialization.
Status and synchronization information.
This architecture ensures that a single controller failure does not lead to a dangerous failure of the safety function.
6. Installation & Maintenance
6.1 Physical Installation
The controller is a single module that mounts directly to panel sheet metal using a keyhole mounting design. It must be installed with vertical airflow through the cooling fins to ensure proper thermal management.
6.2 Status Indicators (LEDs)
The front panel provides a comprehensive set of LEDs for immediate status assessment:
Link: Solid green indicates an established IONet Ethernet link.
Act: Solid or flashing green indicates IONet packet traffic.
Power: Solid green indicates the internal 5V supply is operational.
OnLine: Solid green indicates the controller is online and executing application code.
DC: Solid green indicates this controller is the designated controller in a redundant set.
OT (Over-Temperature): Yellow indicates an alarm condition; Red indicates a trip has occurred.
7. Backup, Restore & Replacement
7.1 Backup and Restore Procedure
A dedicated push-button on the controller allows for backup and restore of the controller's configuration and firmware to a USB drive.
USB Drive Requirement: Must be USB 2.0-compliant, non-encrypted, with a minimum capacity of 4 GB, formatted as FAT32.
Process: The backup/restore status is indicated by the USB On LED. A solid light during the process indicates activity, and it turns off upon successful completion. Flashing indicates a failure.
7.2 Controller Replacement
A structured procedure is defined for replacing a faulty controller, emphasizing safety and data integrity:
Backup: If possible, back up the failing controller's NAND flash.
Power Down: Disconnect the specific power plug (JCR, JCS, or JCT) on the associated JPDC.
Disconnect Cables: Remove IONet and VLAN cables.
Physical Removal: Loosen screws and remove the controller using the keyhole mounting.
Installation: Reverse the process to install the new controller.
Restore & Configure: Restore the backup to the new controller or configure its IP address using the ToolboxST engineering tool via the COM1 port.
