204
Rockwell Automation Publication 1715-UM001J-EN-P - December 2020
Chapter 7 1715 Redundant I/O System in SIL 2 Safety Applications
DLR Topology
Figure 63 - Simplex DLR with a ControlLogix Controller
For duplex configurations, a SIL 2 fault-tolerant architecture has dual input,
dual adapter, and dual output modules. The input modules operate in 1oo2 (1
out of 2) under no fault conditions and degrade to 1oo1 (1 out of 1) upon
detection of the first fault in either module. The modules fail-safe if faults
occur on both modules. The adapters operate in 1oo2 under no-fault conditions
and degrade to 1oo1 upon detection of the first fault. A duplex system could
therefore be 1oo2 reverting to 1oo1 on the first detected fault and reverting to
fail-safe when both modules have a fault. Fail-safe is defined as the ‘de-
energized’ or ‘off’ state.
The Ethernet architecture has no affect on SIL 2 safety functions. You can use
either of these example drawings, or any other appropriate Ethernet network.
From a safety aspect, if the Ethernet packets are not sent successfully, then the
SIL 2 safety functions go to their respective safe states.
1756-EN2TR
1756-L72
CH1
CH1
CH1
CH1
CH1
CH1
TERMINAL IDENTITY
CH1
CH1
CH1
CH1
CH1
CH1
CH1
CH1
TERMINAL IDENTITY
IO BASE
1715-A310
CH1
CH1
CH1
CH1
CH1
CH1
CH1
CH1
TERMINAL IDENTITY
AOTA
Dual.
CH1
CH1
CH1
CH1
CH1
CH1
CH1
CH1
TERMINAL IDENTITY
AOTA
Dual.
CH1
CH1
CH1
CH1
CH1
CH1
CH1
CH1
TERMINAL IDENTITY
AOTA
Dual.
1715-AENTR
1715-AENTR
1715-
OB8DE
1715-IB16D
1715-A2A
1715-A3IO
IO BASE
1715-A310
CH1
CH1
CH1
CH1
CH1
CH1
CH1
CH1
TERMINAL IDENTITY
AOTA
Dual.
AOTA
Dual.
AOTA
Dual.
1715-
OF8I
1715-A3IO
1715-IF16
1715-
TASOB8DE
1715-
TASIB16D
1715-
TASIF16
1715-
TASOF8
Sensor
Actuator
SIL 2 ControlLogix Safety Loop