212
Rockwell Automation Publication 1715-UM001J-EN-P - December 2020
Chapter 7 1715 Redundant I/O System in SIL 2 Safety Applications
The fail-safe lowest commanded value irrespective of the scaling factor is
0 mA. The application cannot change the scaling factor; only an online
update can change the scaling factor.
•
Fail-safe guard band
The fail-safe guard is 1% (0…2 mA) and not user-configurable.
Reaction to Faults
If an output module faults, the following status information is reported:
•
Module presence
•
Module health and status
•
Channel health and status
•
Field faults
•
An echo of the front panel indicators for each module
If any of the following internal conditions exist, the output module fails safe:
•
An internal software error is detected
•
A power feed combiner over-temperature condition is detected
Shutdown Mode
When the module is in the Shutdown mode, the Ready and Run indicators
turn red. The default state is OFF (de-energized).
Considerations for Sensor
and Actuator
Configurations
The function of a signal must be considered. In many cases, redundant sensor
and actuator configurations can be used, or differing sensor and actuator
types provide alternate detection and control possibilities. Plant facilities
frequently have related signals such as start and stop signals. In these cases, it
is important to make sure that failures beyond the fault-tolerant capability of
the system do not result in either inability to respond safely or in inadvertent
operation. In some cases, this requires that channels be on the same module,
to make sure that a module failure results in the associated signals failing-safe.
It is often necessary to separate signals across modules. Where non-redundant
configurations are employed, it is especially important to make sure that the
fail-safe action is generated in case of failures within the system.
Field loop power and its affect on inputs (sensors and modules) and outputs
(modules and actuators) must be considered. For normally energized
configurations, field-loop power loss leads to fail-safe reaction.
IMPORTANT
In safety-critical applications that use one sensor or single
actuator, it is important that the sensor failure modes be
predictable and understood so that there is little probability of a
failed sensor not responding to a critical process condition. Test
the sensor regularly, either by dynamic process conditions that
are verified in the 1715 system, or by manual intervention testing.
It is recommended that a written test plan is used for all testing.