Rockwell Automation Publication 1715-UM001J-EN-P - December 2020
219
Chapter 7 1715 Redundant I/O System in SIL 2 Safety Applications
Configuring the Output Module Program/Fault Actions
For a SIL 2 safety system, you are responsible for making sure that the SIL 2
related safety code, including the SIL 2 Add-On Instructions, are being
scanned using a safety task watchdog.
See Using ControlLogix in SIL 2 Safety Applications Reference Manual
for
safety watchdog requirements.
Safety Watchdog
Configure the properties of the task that is used for safety correctly for your
application.
•
Priority: must be the highest-priority task in the application (lowest
number).
•
Watchdog: the value that is entered for the SIL 2 safety task must be large
enough for all logic in the task to be scanned.
If the task execution time exceeds the watchdog time, a major fault occurs on
the controller. Users must monitor the watchdog and program the system
outputs to transition to the safe state (typically the OFF state) in the event of a
major fault occurring on the controller. For more information on faults, see the
Using ControlLogix in SIL 2 Safety Applications Reference Manual
.
This handles all fault scenarios:
•
If a controller fault, such as a watchdog fault occurs, the controller goes
to program mode, which causes the 1715 I/O to go to the Program Mode
states.
•
If there is a system fault that causes a communications loss to the I/O
modules, then the 1715 I/O goes to the Fault Mode states.
•
If there is a CRTL (Connection Reaction Time Limit) timeout in the 1715-
AENTR adapter, then the 1715 output modules go to the Fault Mode
states.
For the 1715-OB8DE, the configuration is found under the Fault/Program
Action tab.
IMPORTANT
The preferred way to meet this controller requirement in a 1715
SIL 2 system is to configure both the PROGRAM MODE and FAULT
MODE tables for the
1715-OB8DE and 1715-OF8I with safe state values.