32
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 4
Using 1715 Hardware in a ControlLogix SIL 2 System
Firmware
To use 1715 modules in a ControlLogix SIL 2 system, you must use firmware that
has been designed for SIL 2 use.
See 1715-CT007xxx for more information
Duplex Configurations
For duplex configurations, a SIL 2 fault-tolerant architecture has dual-input, dual
adapter, and dual output modules. The input and output modules operate in
1oo2D (1 out of 2) under no fault conditions and degrade to 1oo1D (1 out of 1)
upon detection of the first fault in either module. The modules fail-safe if faults
occur on both modules. The adapters operate in 1oo2D under no-fault
conditions and degrade to 1oo1D upon detection of the first fault. A duplex
system could therefore be 1oo2D reverting to 1oo1D on the first detected fault
and reverting to fail-safe when both modules have a fault. Fail-safe is defined as
the ‘de-energized’ or ‘off ’ state. A Simplex Input or Output module is SIL 2
capable. Configuring them in a Duplex configuration adds availability but doesn't
add to the safety capability
Ethernet
The Ethernet architecture has no effect on SIL 2 safety functions. You can use
any appropriate Ethernet network for your application. From a safety aspect, if
the Ethernet packets are not sent successfully, then the SIL 2 safety functions go
to their respective safe states.
Power Supplies
On de-energize-to-trip, two power supplies can be used if fault tolerance is
required on the power supplies.
If only one power supply is used, both of the power connections on the adapter
base must be connected to it (system power can be from another power supply to
the I/O modules).
For energize-to-action, dual power supplies are required for both the system and
field supplies. The system provides the power supply monitoring, but needs to be
connected in the application.
I/O Module Considerations
All I/O modules feature status indicators and can also report faults via
application variables. All modules provide the following status information:
• Module presence
• Module health and status
• Channel health and status
• Field faults
• An echo of the front panel indicators for each module
Input modules support high availability when configured for duplex operation
and using the appropriate termination assembly.