8
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 1
The ControlLogix/1715 SIL 2 System
– Other EtherNet/IP communication modules can be used for non-
safety loop communication
Redundant ControlLogix Controllers
See the following manuals for the components necessary for a redundant
ControlLogix controller.
•
ControlLogix Redundancy User Manual (1756-UM535)
.
Using ControlLogix in SIL 2 Applications Safety Reference
for the SIL2-certified ControlLogix catalog/
revision numbers.
Controllers, power supplies, adapters, and I/O modules can all be architected in
duplex configurations. Diagnostics can indicate whether each module is running
duplex, simplex, or is faulted. For de-energize to action applications, you can
programmatically decide to Fail to Safe or Run Degraded in the event of a fault.
Note that if Running Degraded on one controller or 1715 I/O module, the
system is still SIL 2 capable since 1756 ControlLogix is capable of running SIL 2
with one controller or 1715 I/O module. It is up to the user if they want to
continue running in this state.
ControlLogix Redundancy uses different firmware than a non-redundant system
does. The major revision is the same but the minor will differ. An example would
be V20.050. This example is the redundancy version of V20 firmware. You must
download the entire bundle from the download site. The bundle contains all
redundancy tested versions for that controller revision.
Theory of Operation
ControlLogix redundancy operates on a Primary and Secondary basis. The
Primary chassis contains the modules that are currently controlling the
application. All the modules in the Secondary chassis are ready to take control
but are currently not running the application. The primary controller keeps the
secondary controller synchronized by sending the data that has changed during
its scan multiple times per scan. That allows the secondary chassis to take control